NAT pred IPsec s pomocou IPFW

[Marián Černý]

Ahojte,

mam server s jednou sietovou kartou (em0) a VPN tunelom pomocou IPsec.

Cez VPN je dostupny server 10.5.5.5 z verejnej IP adresy jailu 1 (80.0.0.101) a tiez z privatneho rozsahu 10.2.2.0/24.

Chcel by som nastavit, aby komunikacia z jailu 2 (80.0.0.102) na server 10.5.5.5 sla cez VPN s prekladom zdrojovej adresy na 10.2.2.102.

Nedari sa mi to ale nastavit. Momentalne som v situacii, ze vidim, ze k prekladu adries doslo (tcpdump -i em0 -n host 10.5.5.5):

    13:47:26.225691 IP 10.2.2.102 > 10.5.5.5: ICMP echo request, id 64090, seq 0, length 64

Ale v tcpdump -i enc0 sa to uz neobjavi. Ked na hoste pouzijem ping -S 10.2.2.102 10.5.5.5, tak to funguje OK - zobrazi sa to v tcpdump -i enc0.

Ako zariadit, aby traffic s prelozenymi adresami bol dalej spracovany cez IPsec?

Do konfiguracie IPFW som pridal:

    gateway_enable="YES"
    firewall_nat_enable="YES"

    nat 1 config ip 10.2.2.1 redirect_addr 80.0.0.102 10.2.2.102
    add 00999 nat 1 all from 80.0.0.102 to 10.5.5.5 via em0

IPsec mam nakonfigurovany nasledovne:

    ipsec_enable="YES"
    ipsec_file="/usr/local/etc/racoon/setkey.conf"
    racoon_enable="YES"

setkey.conf:

    flush;
    spdflush;
    spdadd 80.0.0.101/32 10.5.5.5/32 any -P out ipsec esp/tunnel/80.0.0.1-90.0.0.1/unique;
    spdadd 10.5.5.5/32 80.0.0.101/32 any -P in ipsec esp/tunnel/90.0.0.1-80.0.0.1/unique;
    spdadd 10.2.2.0/24 10.5.5.5/32 any -P out ipsec esp/tunnel/80.0.0.1-90.0.0.1/unique;
    spdadd 10.5.5.5/32 10.2.2.0/24 any -P in ipsec esp/tunnel/90.0.0.1-80.0.0.1/unique;

Dakujem za rady

Marian Cerny