NAT pred IPsec s pomocou IPFW
Marián Černý
majo-users-l at cerny.sk
Tue Oct 18 15:11:15 CEST 2016
Ahojte,
mam server s jednou sietovou kartou (em0) a VPN tunelom pomocou IPsec.
Cez VPN je dostupny server 10.5.5.5 z verejnej IP adresy jailu 1 (80.0.0.101) a tiez z privatneho rozsahu 10.2.2.0/24.
Chcel by som nastavit, aby komunikacia z jailu 2 (80.0.0.102) na server 10.5.5.5 sla cez VPN s prekladom zdrojovej adresy na 10.2.2.102.
Nedari sa mi to ale nastavit. Momentalne som v situacii, ze vidim, ze k prekladu adries doslo (tcpdump -i em0 -n host 10.5.5.5):
13:47:26.225691 IP 10.2.2.102 > 10.5.5.5: ICMP echo request, id 64090, seq 0, length 64
Ale v tcpdump -i enc0 sa to uz neobjavi. Ked na hoste pouzijem ping -S 10.2.2.102 10.5.5.5, tak to funguje OK - zobrazi sa to v tcpdump -i enc0.
Ako zariadit, aby traffic s prelozenymi adresami bol dalej spracovany cez IPsec?
Do konfiguracie IPFW som pridal:
gateway_enable="YES"
firewall_nat_enable="YES"
nat 1 config ip 10.2.2.1 redirect_addr 80.0.0.102 10.2.2.102
add 00999 nat 1 all from 80.0.0.102 to 10.5.5.5 via em0
IPsec mam nakonfigurovany nasledovne:
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
setkey.conf:
flush;
spdflush;
spdadd 80.0.0.101/32 10.5.5.5/32 any -P out ipsec esp/tunnel/80.0.0.1-90.0.0.1/unique;
spdadd 10.5.5.5/32 80.0.0.101/32 any -P in ipsec esp/tunnel/90.0.0.1-80.0.0.1/unique;
spdadd 10.2.2.0/24 10.5.5.5/32 any -P out ipsec esp/tunnel/80.0.0.1-90.0.0.1/unique;
spdadd 10.5.5.5/32 10.2.2.0/24 any -P in ipsec esp/tunnel/90.0.0.1-80.0.0.1/unique;
Dakujem za rady
Marian Cerny
More information about the Users-l
mailing list