[Firehol-support] Trouble with masquerading and ipsec
Les Stott
les at cyberpro.com.au
Sun Dec 9 20:49:20 GMT 2007
Costa Tsaousis wrote:
> Les Stott wrote:
>> Hi,
>>
>> I have two networks, say 192.168.1.0 (location 1) and 192.168.2.0
>> (location 2).
>>
>> Location 1 is a linux box running firehol.
>>
>> Location 2 is a cyberguard hardware firewall.
>>
>> Im using openswan-2.1.5-2 on top of centos5 with firehol 1.256.
>>
>> I can get an ipsec tunnel running between the devices no problem.
>>
>> From Location 2, behind the cyberguard i can ping any address behind
>> location 1.
>> i.e. 192.168.2.1 can ping 192.168.1.99
>>
>> However from Location 1 i cannot ping location 2.
>>
>> At location 1 i am masquerading traffic so that internal pc's can
>> browse the internet.
>>
>> I have to turn masquerading off in order for location 1 to be able to
>> ping location 2. But this breaks all location 1 devices and they
>> cannot access the internet.
>>
>> How can i get around this?
>>
>> Relevant rules from firehol.conf below.....
>>
>> location1=192.168.1.0/24
>> location2=192.168.2.0/24
>>
>>
>> interface "ppp+" internet
>> protection strong
>> server isakmp accept
>> server ESP accept
>> server ident reject with tcp-reset
>> client all accept
>>
>> #IPSEC Routed Connections
>> router localout src "$location1" dst "$location2"
>> route all accept
>> router remotein src "$location2" dst "$location1"
>> route all accept
>>
>> router pcsout inface "ppp+" outface "eth0"
>> masquerade reverse
>> client http accept
>> client https accept
>> client ftp accept
>> client rdp accept
>>
>> TIA
>>
>> Regards,
>>
>> Les
>>
> Les,
>
> try removing the masquerade statement from the router and adding this
> at the top of the firewall (just bellow the definitions of location1
> and location2):
>
> masquerade ppp+ src "${location1}" dst not "${location2}"
>
> This will masquerade traffic only when destination is not location2.
>
> Costa
>
Thanks for the tip, i'll try that later tonight as im doing it on a live
site, i'll report back how that goes.
Regards,
Les
More information about the Firehol-support
mailing list