FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-13-2012, 10:04 PM
Steve Clark
 
Default ipsec nat issue

Hello,

I have the following setup on linux 2.6.32... CentOS 6.x :

ipsec tunnel eth0-10.255.3.254/25 - eth1-pub add1 <-> eth1-pub add2 -
eth0-10.255.5.254/25

I am trying to SNAT remote private address 10.255.5.128/25 packets when
they come out of the ipsec tunnel to make it appear like it was from local
address 10.255.3.254. I am doing a source ping from the right side to a
device on the left subnet ping -I 10.255.5.254 10.255.3.129
but it doesn't work - see below.

iptables -t nat -I POSTROUTING -o eth0 -s 10.255.5.128/25 -d 10.255.3.128/25 -j
SNAT --to-source 10.255.3.254

Chain POSTROUTING (policy ACCEPT 6 packets, 456 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth0 10.255.5.128/25 10.255.3.128/25
to:10.255.3.254

$ sudo tcpdump -nli eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:20:17.772396 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq
62, length 64
15:20:18.777272 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq
63, length 64
15:20:19.772572 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq
64, length 64
15:20:20.770681 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq
65, length 64

I would expect 10.255.5.254 to be replaced with 10.255.3.254 what am I missing?
Is this possible
I could do it when we were using FreeBSD.

I didn't find anything googling.

Thanks,
Steve


--

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-13-2012, 10:31 PM
Steve Clark
 
Default ipsec nat issue

Never mind. I got it to work. I already had the ping going when I added the iptables SNAT rule,
conntracking or route caching made it not work. I stopped the ping for a minute or so then
restarted it and it worked and did the SNATing as I expected.

On 10/13/2012 06:04 PM, Steve Clark wrote:
> Hello,
>
> I have the following setup on linux 2.6.32... CentOS 6.x :
>
> ipsec tunnel eth0-10.255.3.254/25 - eth1-pub add1 <-> eth1-pub add2 -
> eth0-10.255.5.254/25
>
> I am trying to SNAT remote private address 10.255.5.128/25 packets when
> they come out of the ipsec tunnel to make it appear like it was from local
> address 10.255.3.254. I am doing a source ping from the right side to a
> device on the left subnet ping -I 10.255.5.254 10.255.3.129
> but it doesn't work - see below.
>
> iptables -t nat -I POSTROUTING -o eth0 -s 10.255.5.128/25 -d 10.255.3.128/25 -j
> SNAT --to-source 10.255.3.254
>
> Chain POSTROUTING (policy ACCEPT 6 packets, 456 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 SNAT all -- * eth0 10.255.5.128/25 10.255.3.128/25
> to:10.255.3.254
>
> $ sudo tcpdump -nli eth0 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 15:20:17.772396 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq
> 62, length 64
> 15:20:18.777272 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq
> 63, length 64
> 15:20:19.772572 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq
> 64, length 64
> 15:20:20.770681 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq
> 65, length 64
>
> I would expect 10.255.5.254 to be replaced with 10.255.3.254 what am I missing?
> Is this possible
> I could do it when we were using FreeBSD.
>
> I didn't find anything googling.
>
> Thanks,
> Steve
>
>


--
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark@netwolves.com
http://www.netwolves.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org