[Firehol-support] Trouble with masquerading and ipsec
Les Stott
les at cyberpro.com.au
Sun Dec 9 14:11:41 GMT 2007
Hi,
I have two networks, say 192.168.1.0 (location 1) and 192.168.2.0
(location 2).
Location 1 is a linux box running firehol.
Location 2 is a cyberguard hardware firewall.
Im using openswan-2.1.5-2 on top of centos5 with firehol 1.256.
I can get an ipsec tunnel running between the devices no problem.
From Location 2, behind the cyberguard i can ping any address behind
location 1.
i.e. 192.168.2.1 can ping 192.168.1.99
However from Location 1 i cannot ping location 2.
At location 1 i am masquerading traffic so that internal pc's can browse
the internet.
I have to turn masquerading off in order for location 1 to be able to
ping location 2. But this breaks all location 1 devices and they cannot
access the internet.
How can i get around this?
Relevant rules from firehol.conf below.....
location1=192.168.1.0/24
location2=192.168.2.0/24
interface "ppp+" internet
protection strong
server isakmp accept
server ESP accept
server ident reject with tcp-reset
client all accept
#IPSEC Routed Connections
router localout src "$location1" dst "$location2"
route all accept
router remotein src "$location2" dst "$location1"
route all accept
router pcsout inface "ppp+" outface "eth0"
masquerade reverse
client http accept
client https accept
client ftp accept
client rdp accept
TIA
Regards,
Les
More information about the Firehol-support
mailing list