[Firehol-support] Trouble with masquerading and ipsec
Costa Tsaousis
costa at tsaousis.gr
Sun Dec 9 16:05:13 GMT 2007
Les Stott wrote:
> Hi,
>
> I have two networks, say 192.168.1.0 (location 1) and 192.168.2.0
> (location 2).
>
> Location 1 is a linux box running firehol.
>
> Location 2 is a cyberguard hardware firewall.
>
> Im using openswan-2.1.5-2 on top of centos5 with firehol 1.256.
>
> I can get an ipsec tunnel running between the devices no problem.
>
> From Location 2, behind the cyberguard i can ping any address behind
> location 1.
> i.e. 192.168.2.1 can ping 192.168.1.99
>
> However from Location 1 i cannot ping location 2.
>
> At location 1 i am masquerading traffic so that internal pc's can browse
> the internet.
>
> I have to turn masquerading off in order for location 1 to be able to
> ping location 2. But this breaks all location 1 devices and they cannot
> access the internet.
>
> How can i get around this?
>
> Relevant rules from firehol.conf below.....
>
> location1=192.168.1.0/24
> location2=192.168.2.0/24
>
>
> interface "ppp+" internet
> protection strong
> server isakmp accept
> server ESP accept
> server ident reject with tcp-reset
> client all accept
>
> #IPSEC Routed Connections
> router localout src "$location1" dst "$location2"
> route all accept
> router remotein src "$location2" dst "$location1"
> route all accept
>
> router pcsout inface "ppp+" outface "eth0"
> masquerade reverse
> client http accept
> client https accept
> client ftp accept
> client rdp accept
>
> TIA
>
> Regards,
>
> Les
>
Les,
try removing the masquerade statement from the router and adding this at
the top of the firewall (just bellow the definitions of location1 and
location2):
masquerade ppp+ src "${location1}" dst not "${location2}"
This will masquerade traffic only when destination is not location2.
Costa
More information about the Firehol-support
mailing list