[Firehol-support] Trouble with masquerading and ipsec

Les Stott les at cyberpro.com.au
Sun Dec 9 14:11:41 GMT 2007


Hi,

I have two networks, say 192.168.1.0 (location 1) and 192.168.2.0 
(location 2).

Location 1 is a linux box running firehol.

Location 2 is a cyberguard hardware firewall.

Im using openswan-2.1.5-2 on top of centos5 with firehol 1.256.

I can get an ipsec tunnel running between the devices no problem.

 From Location 2, behind the cyberguard i can ping any address behind 
location 1.
i.e. 192.168.2.1 can ping 192.168.1.99

However from Location 1 i cannot ping location 2.

At location 1 i am masquerading traffic so that internal pc's can browse 
the internet.

I have to turn masquerading off in order for location 1 to be able to 
ping location 2. But this breaks all location 1 devices and they cannot 
access the internet.

How can i get around this?

Relevant rules from firehol.conf below.....

location1=192.168.1.0/24
location2=192.168.2.0/24


interface "ppp+" internet
        protection strong
        server isakmp accept
        server ESP accept
        server ident reject with tcp-reset
        client all accept

#IPSEC Routed Connections
router localout src "$location1" dst "$location2"
        route all accept
router remotein src "$location2" dst "$location1"
        route all accept

router pcsout inface "ppp+" outface "eth0"
        masquerade reverse
        client http accept
        client https accept
        client ftp accept
        client rdp accept

TIA

Regards,

Les




More information about the Firehol-support mailing list