[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Ben Lutgens'" <blutgens at us dash admins dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] DNAT rules breaks IPSec tunneled traffic to same s ervices on diff hosts.
 Date:  Thu, 23 Oct 2003 12:17:11 +0200
Your questions are not stupid. Maybe I am, for not having an answer to
them...

The core developer, Manuel Kasper, mostly answers these system problems, and
this can take some time as he also has a day-job. Also, the m0n0wall project
is relatively young, so there are not that many guru's out there. yet.

I am going to investigate the ipsec routing nat problem as soon as I have
the opportunity, but that can take some time...

Joachim

-----Original Message-----
From: Ben Lutgens [mailto:blutgens at us dash admins dot com]
Sent: woensdag 22 oktober 2003 23:21
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] DNAT rules breaks IPSec tunneled traffic to same
services on diff hosts.



On Tuesday, Oct 21, 2003, at 11:11 US/Central, Ben Lutgens wrote:

> When you have Destination NAT rules setup, it seems you can no longer
> access services that you have NAT'd on _OTHER_ hosts when comming in 
> via
> IPSec. Wierd eh.

Are all my questions stupid? Is there some reason my posts get 0 
response? Am I missing something?

>
>
> So my network is 192.168.1.0/26 and on the other side of a tunnel is
> 192.168.2.0/26. On the remote gateway (m0n0 of course) i have some NAT
> rules which puch services through to 192.168.2.2. These include ssh,
> http, https etc etc. When I try to ssh through the IPSec tunnel to say
> 192.168.2.10, i see some packet logs on my end which shows me that the
> remote mono box is trying to NAT those packets to 192.168.2.2. For some
> reason it fails (which is odd since I can ssh to the external ip of the
> mono box and I'm good. My packet filter rules are all correct, and if I
> _remove_ those DNAT rules and try then to ssh to any host on the other
> side of the tunnel it works fine.
>
> This also affect being able to access the web interface via the IPSec
> tunnel. Obviously people want to be able to run webservers behind thier
> m0n0 gateway, and may need to access the web interface (since there's 
> no
> SSH to m0n0) to make config changes.
>
> here are some packet logs when trying to access the remote m0n0 boxes'
> web interface via the IPSec tunnel.
>
> my IP == 192.168.1.5
> the remote mono internal ip == 192.168.2.1
> https is setup as a Inbound NAT rule on the remote mono box to go to
> 192.168.2.2 and these logs are from the LOCAL m0n0 box (192.168.1.1)
>
> Oct 21 11:09:33 m0n0wall ipmon[71]: 11:09:33.183888 sis0 @0:11 B
> 192.168.2.2,443 -> 192.168.1.5,33638 PR tcp len 20 40 -AR IN
> Oct 21 11:09:36 m0n0wall ipmon[71]: 11:09:36.182348 sis0 @0:11 B
> 192.168.2.2,443 -> 192.168.1.5,33638 PR tcp len 20 40 -AR IN
> Oct 21 11:09:42 m0n0wall ipmon[71]: 11:09:42.182511 sis0 @0:11 B
> 192.168.2.2,443 -> 192.168.1.5,33638 PR tcp len 20 40 -AR IN
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
--
Ben Lutgens       http://us-admins.com/~blutgens/
US Admins, Inc
System Administrator / Server Gumby


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------
Oce enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------