[strongSwan] Problem with postrouting NAT
Frank Mohr
f_mohr at yahoo.de
Tue Nov 16 21:15:17 CET 2010
Hi,
I want to make an IPSEC server in a closed network accessable with
a public ip address.
To test this, i'm trying to modify the ikev2/nat-one-rw test case to use
POSTROUTING instead of PREROUTING.
My changes to the test case are:
diff -r ./hosts/alice/etc/ipsec.conf
../nat-one-rw-post/hosts/alice/etc/ipsec.conf
20c20
< right=PH_IP_SUN
---
> right=10.1.0.1
diff -r ./posttest.dat ../nat-one-rw-post/posttest.dat
14a15,16
> sun::route del -net 10.1.0.0 netmask 255.255.255.0 gw 192.168.0.1
>
diff -r ./pretest.dat ../nat-one-rw-post/pretest.dat
2a3
> moon::/etc/init.d/iptables start 2> /dev/null
5,6c6,10
< moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j
SNAT --to-source PH_IP_MOON:1024-1100
< moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j
SNAT --to-source PH_IP_MOON:2000-2100
---
> moon::iptables -A PREROUTING -t nat -i eth1 -p udp --dport 500 -j DNAT
--to PH_IP_SUN:500
> moon::iptables -A PREROUTING -t nat -i eth1 -p udp --dport 4500 -j
DNAT --to PH_IP_SUN:4500
> moon::iptables -A FORWARD -p udp --sport 500 --dport 500 -j ACCEPT
> moon::iptables -A FORWARD -p udp --sport 4500 --dport 4500 -j ACCEPT
> sun::route add -net 10.1.0.0 netmask 255.255.255.0 gw 192.168.0.1
Authentification works fine, i see the ICMP req and answer in tcpdump on
bob and sun, but the answer isn't returned to alice.
On sun, i see the error message
Nov 16 20:52:32 sun charon: 05[KNL] NAT mappings of ESP CHILD_SA with
SPI ceab3cfb and reqid {1} changed, queuing update job
Has anyone an idea what's wrong with that config?
Frank
__________________________________________________
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen Massenmails.
http://mail.yahoo.com
More information about the Users
mailing list