Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi everybody ,
I've been configured OPENSWAN between 2 offices , it's working fine and I can access resource between these sites .But now one of my office need to acces the internet through CENTOS , I'd like to additional configure NAT Static for my network to access the internet (I've static IP 222.255.239.18) but while I configure SNAT then I can not communicate my offices each other (my command to nat : iptables -t nat -A POSTROUTING -s 172.16.0.0/23 -j SNAT --to 222.255.239.18 . So I have to DEL that rule .If anybody used to meet this issue , pls try to help me . Because it's really very urgent
Thank you very much indeed .
Thank you for your help ,
To estabroo : I tried to use iptables -t nat -A POSTROUTING -s 172.16.0.0/23 -o <ethernet_device> -j MASQUERADE but it was same iptables -t nat -A POSTROUTING -s 172.16.0.0/23 -j SNAT --to 222.255.239.18
To rossonieri#1 :
Let me tell you more detail : I configured my network with single AD on 2 sites and at each site I have firewall (Centos 5.0) that means I have 2 firewall at each site ,and they were configured VPN by OPENSWAN .Until now , it's working fine .But I'd like to use iptables to configure more for my users can be accessed internet through my firewall with one public IP ,when my firewall was configured that rule then the connection of VPN drop immediately .So I need your help to assist me how to run OPENSWAN and IPTABLES on the same firewall machine
thats what i thought in the first place - hmm ... why did i erase my first post
since you are now running a ipsec PTP to remote-site - you have to build once again your iptables from scratch - because your main target now is to share your 1 internet connection using MASQ or SNAT - then the second job is to allow ipsec pass-thru the firewall to remote site.
ipsec-related ports/protocol : UDP 4500 (ipsec NAT-T), UDP 500 (IKE), IP 50 (ESP) IP 51 (AH).
those 4 need to be open to both direction - i think you already understand which ports to open right since you already did make it work?
Firstly :
Yes I know , I realize about you mentioned about those ports , in fact I have 8 WAN IPs on that firewall machine that configured by alias(that's mean I configured another IP for VPN) . The problem is when firewall was configured rules for my users access the internet through firewall machine by iptables then VPN dropped imediately (although VPN didn't drop before I was adding iptables rules and now it's working fine).
The second point I'd like to ask you how to configure OPENSWAN by using dynamic WAN IP because in Viet Nam there are many locations have dynamic WAN IP)
Let me post my ipsec.conf for you to consider it
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug=dns
# Add connections here.
# sample VPN connection
conn net-to-net
# Left security gateway, subnet behind it, next hop toward right.
left=210.245.112.212
leftsubnet=172.16.0.0/23
leftrsasigkey=0sAQN4gj04X4Bf6BXRrodbhfeoe6e3OiSFcLBDkg8OhpUbKTnFMfidz30v49hL0L36ELJNg7FL3n6spPCUzlF9 1c8BSyZ/qEE5xQvAMwyCwLCD0ppfwcUvhWXPSzu8S4GQMtc0zMX83a04vxGCbBLyU9E6nanl05YfjIbN0UgT//mgGqxdJBTkKu1pHwRpvvqcyVCIYMCAmTm0dOCbnB6hzkoe9VJn1MxWByzwi4NId5xjSzn9uKni1lVjC57nWnl4qpWn1fJTZN/WVgaWwtV0DxSj1/+kq8kmz1IEVUTVPUDJNWpVOTEgGI6j7HogaJwwU/Ck72PBtmcBkC4Ck2huZL7lPR0wWqGgN1v7FfMh5tdxbQRl
leftnexthop=210.245.112.209
# Right security gateway, subnet behind it, next hop toward left.
right=222.255.237.61
rightsubnet=192.168.104.0/24 rightrsasigkey=0sAQNYokeJYiaTWfLQijVnP9TdAm9mo7IxeyumDupgoUnXmb889Evt+6aA9jj6pILmBptK3vAZhotArQGjbFZ ydCmNkPuavobWfHX64hdr0GJg+hLRPIAzEad1TVVTwA7r7z0GZziLYgaCyx/rU4jonIuvYFisiT1pZv5z5OAQzjup2ZdONI69pm4IsiPEsjJ8BxZfElz9flJvjNOkZCrpbAMgFLuvU6d5gVVSzUvPk+6SEV0x9Ie oX56K3C38kzYmZilV4cDdLzxR7byH2uZRKeVlc1AhGNr7aLkSJgmDAtXg4602K5iHWx0ICGUFRSpruoREMqPb117tZmkD5G5j0Aw 6EaAw+9577E+o8cDFLvk5KGUl
rightnexthop=222.255.237.254
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.