[Firehol-support] Trouble with masquerading and ipsec

Les Stott les at cyberpro.com.au
Mon Dec 10 11:32:59 GMT 2007 

Les Stott wrote:
> Costa Tsaousis wrote:
>   
>> Les Stott wrote:
>>     
>>> Hi,
>>>
>>> I have two networks, say 192.168.1.0 (location 1) and 192.168.2.0 
>>> (location 2).
>>>
>>> Location 1 is a linux box running firehol.
>>>
>>> Location 2 is a cyberguard hardware firewall.
>>>
>>> Im using openswan-2.1.5-2 on top of centos5 with firehol 1.256.
>>>
>>> I can get an ipsec tunnel running between the devices no problem.
>>>
>>>  From Location 2, behind the cyberguard i can ping any address behind 
>>> location 1.
>>> i.e. 192.168.2.1 can ping 192.168.1.99
>>>
>>> However from Location 1 i cannot ping location 2.
>>>
>>> At location 1 i am masquerading traffic so that internal pc's can 
>>> browse the internet.
>>>
>>> I have to turn masquerading off in order for location 1 to be able to 
>>> ping location 2. But this breaks all location 1 devices and they 
>>> cannot access the internet.
>>>
>>> How can i get around this?
>>>
>>> Relevant rules from firehol.conf below.....
>>>
>>> location1=192.168.1.0/24
>>> location2=192.168.2.0/24
>>>
>>>
>>> interface "ppp+" internet
>>>         protection strong
>>>         server isakmp accept
>>>         server ESP accept
>>>         server ident reject with tcp-reset
>>>         client all accept
>>>
>>> #IPSEC Routed Connections
>>> router localout src "$location1" dst "$location2"
>>>         route all accept
>>> router remotein src "$location2" dst "$location1"
>>>         route all accept
>>>
>>> router pcsout inface "ppp+" outface "eth0"
>>>         masquerade reverse
>>>         client http accept
>>>         client https accept
>>>         client ftp accept
>>>         client rdp accept
>>>
>>> TIA
>>>
>>> Regards,
>>>
>>> Les
>>>   
>>>       
>> Les,
>>
>> try removing the masquerade statement from the router and adding this 
>> at the top of the firewall (just bellow the definitions of location1 
>> and location2):
>>
>> masquerade ppp+ src "${location1}" dst not "${location2}"
>>
>> This will masquerade traffic only when destination is not location2.
>>
>> Costa
>>
>>     
> Thanks for the tip, i'll try that later tonight as im doing it on a live 
> site, i'll report back how that goes.
>
>   
Brilliant!!!!

Works a treat.

Thanks Costa,

Les

More information about the Firehol-support mailing list