SNAT through Racoon IPSec VPN
Posted
by
Mite fine d'ailes
on Server Fault
See other posts from Server Fault
or by Mite fine d'ailes
Published on 2011-09-02T10:17:31Z
Indexed on
2012/06/04
4:42 UTC
Read the original article
Hit count: 559
I am trying to route traffic from a device (that I will call "target") connected to my Ubuntu box (that I will call "host") to servers at a remote office.
The host uses a Racoon IPSec VPN, connected through a NIC called efix
. This creates an aliased IF called efix:0
which has IP adress 192.168.190.132
. It is able to reach the servers.
The link between host and target is an Ethernet link, using IP adresses 10.0.0.1
on IF eusb
for the host and 10.0.0.2
on IF eth0
for the target.
I have setup the following routes and iptables entries:
On target:
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
On host:
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to 192.168.190.132 iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT
Using Wireshark to monitor an HTTP GET, I can see SYN
packets from the target go all the way to the server, but the server's SYNACK
packets stop at the host and are not forwarded to the target. Am I missing something here ? Isn't SNAT supposed to keep track of the connections ?
© Server Fault or respective owner