Re: IPSec, IPTables, multiple subnets

SilkBC <swasak@xxxxxxxxxxx> wrote:
Hello,

How do you tell IPTables to not masquerade several specific subnets,
or alternatively, masquerade *only* one specific subnet but not
everything else?

We have several remote sites with the following subnets:

site1 (main office): 10.175.0.0/24
site2 (remote): 10.175.1.0/24
site3 (remote): 10.175.2.0/24
site4 (remote): 10.175.3.0/24

We are wanting to run full two-way site-to-site VPNs between the
remote sites and the main office. We are able to get one tunnel
working properly, but the others, while the tunnels are indeed up, we
cannot ping across to them from the main office. The VPN is IPSec.

Here is the current masquerading rule (on the main office firewall/
gateway), which is allowing the one IPSec tunnel to work no problem:

iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.1.0/24 -j
MASQUERADE

which is saying to masquerade all traffic going through eth0 *except*
for traffic destined for the 10.175.1.0/24 network.

IPSec does not create it's own interface unfortunately, but rather
"shares" eth0.

I have tried this rule:

iptables -t nat -A POSTROUTING -o eth0 -s 10.175.0.0/24 -j
MASQUERADE

Given that I'm no IPSec or iptables expert, you might try this:

iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.0.0/16 -j MASQUERADE

It would seem to masquerade all traffic output through eth0 except
that to the VPNs, assuming no traffic to 10.175.0.0/24 goes out eth0.
But since my view of eth0/IPSec VPN/"shares" is cloudy at best that
assumption could easily be wrong.

which I thought would masquerade *only* traffic from the 10.175.0.0/24
subnet through eth0, but that didn;t work (and looking at it closer, I
am able to see why)

Any help appreciated.

TIA. I look forward to hearing fromyou.

-Alan


--
Clifford Kite
/* I hear and I forget. I see and I remember. I do and I understand.
--Confucius, 551-479 BC */
.

Relevant Pages

  • Re: RV042 - Does anyone understand it? Documentation?
    ... if one is using an RV042 for VPN, then what affect does the routing table have on the VPN packets? ... When the packet is received at the other end of the tunnel, it will still be destined for a "foreign" private subnet. ... In other words the range of IP's you are trying to reach and the range of IP's the traffic is coming from MUST be included in the subnets for the encrypted tunnel. ...
    (comp.dcom.vpn)
  • Re: RV042 - Does anyone understand it? Documentation?
    ... Launch a packet destined for a "foreign" private subnet. ... Route such packets at their source to the LAN address of the RV042 VPN ... When the packet is received at the other end of the tunnel, ... i.e. the packet is destined neither for the local nor the remote subnet. ...
    (comp.dcom.vpn)
  • Re: RV042 - Does anyone understand it? Documentation?
    ... Can one subnet be a subset of the other subnet? ... If I tracert to a client on the opposite LAN, the trace goes first to the ... I was advised to set up a tunnel that would target the far away subnet (plus ... the RV042 also doesn't like to have the same subnet at the remote end ...
    (comp.dcom.vpn)
  • Re: Problem with new source address selection (was Anyone interested in jail patches?)
    ... Lets assume my private subnet is 192.168.90.0/24 and the "foreign" ... When I send packets via this tunnel I ... So is your 192.168.90.0/24 on any other interface but the lo2? ...
    (freebsd-net)
  • Re: VPN question
    ... > network and the RRAS/ISA server in the perimeter network. ... > is forwarded to the security zone (subnet), through a new tunnel, to get ... You have to run one Tunnel inside the other Tunnel to even get across a B2B ... Your intent to do this with firewalls is just simply wrong. ...
    (microsoft.public.windows.server.networking)