Re: MASQUERADE/SNAT before IPsec

[RUMI Szabolcs <rumi_ml@rtfm.hu>]

[-- Attachment #1: Type: text/plain, Size: 1496 bytes --]

On Sat, 2 Feb 2008 22:42:57 +0100
"Marco Berizzi" <pupilla@hotmail.com> wrote:

> RUMI Szabolcs wrote:
> 
> > Hello!
> > 
> > I'm trying to achieve the following:
> > 
> > I would like to connect a LAN behind a NAT gateway to an IPsec VPN.
> > The IPsec VPN gets connected to via IPsec tunnelmode by the NAT
> > gateway that is getting a single dynamic IP address valid on the
> > VPN and this is what the LAN machines had to be MASQUERADEd to.
> > 
> > On the NAT gateway a WAN address is assigned to eth0 and the
> > dynamic IPsec VPN address is assigned to eth0:0. I can ping hosts
> > on the IPsec VPN through the tunnel from the NAT gateway itself
> > but I cannot ping them from any LAN hosts behind the gateway.
> > 
> > The problem is that when I set up proper FORWARD and MASQUERADE
> > rules for the LAN network, the MASQUERADEd packets seem to go out
> > on eth0 unencrypted without ever getting into the IPsec tunnel. I
> > have also tried -j SNAT --to-source <address of eth0:0 valid on
> > IPsec VPN> just to be sure and the same thing happens as with
> > MASQUERADE.
> > 
> > Environment: linux-2.6.22, iptables-1.3.8
> > 
> > Is this behaviour intentional?
> > How could I achieve what I described above?
> 
> may draw your network schema?

Well the actual setup is much more complicated but I tried
to simplify and visualize the problem (see attached image).
The green arrows show where the NATed traffic should go and
the red ones show what actually happens.

Best regards,
Sab

[-- Attachment #2: ipsec_nat_2.png --]
[-- Type: image/png, Size: 20945 bytes --]