Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 12-19-2007, 04:46 AM   #1
Registered: Jun 2005
Posts: 53

Rep: Reputation: 15
IPsec routing issue

Hi I'm supposed to setup an IPsec tunnel with another company's server.

They have provided me with the details and I have to make it work.

Our LAN IP behind our router is in the subnet.

They are telling me, however, that I have to make all traffic going to their network appear to be coming from a LAN IP They then want me, whilst pretending to be this host, connect to another subnet on their end eg

I'm finding this unreasonable as they are dictating which network, traffic should appear to be coming from (I have no idea why, I'm starting to think they don't know what they are talking about)

How am I meant to masquerade traffic as coming from and route all traffic for through that link?

I'm running Centos 5.0 and I have shorewall installed as my firewall/router setup.

Lets say my default gw is eth0
I then create a virtual interface called eth0:1 with the ip address of

I can't add the route to dev eth0:1 specifically can I? It will just appear as eth0......

If anyone has any ideas or experience with this could you please help?

Old 12-19-2007, 05:08 AM   #2
Registered: Mar 2004
Location: Antwerp, Belgium
Distribution: Gentoo
Posts: 65

Rep: Reputation: 15
I think you'll have to set up shorewall to use NAT. You tell it to send all traffic from your internal network destined for over eth0:1.
I can't really help you with the specific configuration, but I'm sure you can find adequate documentation.
Old 12-19-2007, 07:41 PM   #3
Registered: Jun 2005
Posts: 53

Original Poster
Rep: Reputation: 15
Ok I figured out the masquerading by just reading the shorewall documentation and trial and error. This is how far I've got but I can't get IPsec working as it won't encrypt the traffic.

First I created a virtual NIC
My interfaces are bonded and I'm using Linux HA so I already have virtual IP's on my router so rather than create a bond1:1 which is my HA (heartbeat) virtual NIC. I had to create a bond1:2

so I created the file /etc/sysconfig/network-scripts/ifcfg-bond1:2
(other people might create a ifcfg-eth0:1 or ifcfg-eth1:1 depending on what interface they are doing this on)

I gave this new interface the address of

I then added a route for the network to go via this interface with a

route add -net netmask gw

to make this route permanent on a redhat based system create a file like I have but make sure you name your interface correctly

and inside the file put via

then bring the interface up with a /sbin/ifup bond1:2
do a netstat -rn to see the routing table and make sure it is correct.

Then in /etc/shorewall/masq

I added the following line:

This means that all traffic destined for from the internal machine has a SNAT source address of

I do a tcpdump -i bond1:2 -nnvv dst host

and on the machine I ping

tcpdump shows me that the source address for these pings is

So the masquerading is now working.

Only problem now is that if I use setkey to set my SA's for IPsec they take over the traffic for before shorewall gets to them so I'm stuck again..... :-(


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing Issue marc hall Linux - Networking 4 07-18-2004 10:59 AM
routing issue.. inode100 Linux - Networking 12 02-25-2004 03:52 PM
routing issue RyPingu Linux - Networking 1 08-15-2003 01:39 PM
again: routing issue! mule Linux - Networking 4 08-07-2003 08:43 AM
Routing Issue jrmann1999 Linux - Networking 1 01-15-2002 10:58 AM

All times are GMT -5. The time now is 07:02 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration