[Firehol-support] Trouble with masquerading and ipsec

Les Stott les at cyberpro.com.au
Sun Dec 9 21:49:20 CET 2007


Costa Tsaousis wrote:
> Les Stott wrote:
>> Hi,
>>
>> I have two networks, say 192.168.1.0 (location 1) and 192.168.2.0 
>> (location 2).
>>
>> Location 1 is a linux box running firehol.
>>
>> Location 2 is a cyberguard hardware firewall.
>>
>> Im using openswan-2.1.5-2 on top of centos5 with firehol 1.256.
>>
>> I can get an ipsec tunnel running between the devices no problem.
>>
>>  From Location 2, behind the cyberguard i can ping any address behind 
>> location 1.
>> i.e. 192.168.2.1 can ping 192.168.1.99
>>
>> However from Location 1 i cannot ping location 2.
>>
>> At location 1 i am masquerading traffic so that internal pc's can 
>> browse the internet.
>>
>> I have to turn masquerading off in order for location 1 to be able to 
>> ping location 2. But this breaks all location 1 devices and they 
>> cannot access the internet.
>>
>> How can i get around this?
>>
>> Relevant rules from firehol.conf below.....
>>
>> location1=192.168.1.0/24
>> location2=192.168.2.0/24
>>
>>
>> interface "ppp+" internet
>>         protection strong
>>         server isakmp accept
>>         server ESP accept
>>         server ident reject with tcp-reset
>>         client all accept
>>
>> #IPSEC Routed Connections
>> router localout src "$location1" dst "$location2"
>>         route all accept
>> router remotein src "$location2" dst "$location1"
>>         route all accept
>>
>> router pcsout inface "ppp+" outface "eth0"
>>         masquerade reverse
>>         client http accept
>>         client https accept
>>         client ftp accept
>>         client rdp accept
>>
>> TIA
>>
>> Regards,
>>
>> Les
>>   
> Les,
>
> try removing the masquerade statement from the router and adding this 
> at the top of the firewall (just bellow the definitions of location1 
> and location2):
>
> masquerade ppp+ src "${location1}" dst not "${location2}"
>
> This will masquerade traffic only when destination is not location2.
>
> Costa
>
Thanks for the tip, i'll try that later tonight as im doing it on a live 
site, i'll report back how that goes.

Regards,

Les




More information about the Firehol-support mailing list