Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   vpn ipsec + port forwarding (http://www.linux-archive.org/debian-user/649837-vpn-ipsec-port-forwarding.html)

lestoilfante 03-28-2012 01:18 PM

vpn ipsec + port forwarding
 
Dear all,
I would like to ask if someone could point me out to a solution for
problem that is fooling me from some days.
This is my situation:

--- NET 192.168.1.0/24 ---/MULTIPLE HOST
* * * * * * *|
_______|___________
| LAN 192.168.1.1 |
| --- VPN GW ---- |
| WAN 192.168.100.7 |
|__________________|
* * * * * *|
* * * * * *|
* * * * * *|
___________________________________
|* ETH1 192.168.100.2 |
| --- SERVER --- |
| ETH0 10.0.0.1 + TAP0 192.168.2.38 |
|___________________________________|
* * * * * *|
* * * * * *|
__________
|**10.0.0.2* |
|*--- PC --- |
|_________|

On SERVER side I have a port forwarding on tcp 80 to 10.0.0.2, so from
eth1 I can reach PC on 192.168.100.2:80 and this is working fine.
As a new upgrade to my server I added a vpn connection from SERVER to
NET 192.168.1.0 behind VPN GW, this also is working fine and host on
192.168.1.0 net can reach SERVER on 192.168.2.38 and vice versa. The
problem is that port forwarding is not working on vpn, so if I try to
reach PC from 192.168.1.x to 192.168.2.38:80 it fail.

The vpn client used on SERVER is ShrewSoft, he bring up tap0 interface
when vpn is established, anyway tcpdump show packet flowing only on
eth1 (type ESP).

This is my iptables, really stripped down:

# Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012
*mangle
:PREROUTING ACCEPT [2107490:2462265619]
:INPUT ACCEPT [2006646:2354121292]
:FORWARD ACCEPT [100696:108135052]
:OUTPUT ACCEPT [1234102:150431085]
:POSTROUTING ACCEPT [1334795:258565885]
COMMIT
# Completed on Wed Mar 28 15:17:11 2012
# Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012
*nat
:PREROUTING ACCEPT [8148:633084]
:POSTROUTING ACCEPT [798:50506]
:OUTPUT ACCEPT [759:47902]
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.254.254.2:80
COMMIT
# Completed on Wed Mar 28 15:17:11 2012
# Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012
*filter
:INPUT ACCEPT [2006634:2354120173]
:FORWARD ACCEPT [100696:108135052]
:OUTPUT ACCEPT [1234099:150430833]
COMMIT
# Completed on Wed Mar 28 15:17:11 2012


Any help will be very appreciated

Thank you


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAMRjn=Ox1Rzq8fEnvCMs=_=-k_pdbcG4Mzz2JtetQTUxfLNhyQ@mail.gmail.com">http://lists.debian.org/CAMRjn=Ox1Rzq8fEnvCMs=_=-k_pdbcG4Mzz2JtetQTUxfLNhyQ@mail.gmail.com


All times are GMT. The time now is 11:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.