[ previous ] [ next ] [ threads ]
 
 From:  Ben Lutgens <blutgens at us dash admins dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  DNAT rules breaks IPSec tunneled traffic to same services on diff hosts.
 Date:  21 Oct 2003 11:11:50 -0500
When you have Destination NAT rules setup, it seems you can no longer
access services that you have NAT'd on _OTHER_ hosts when comming in via
IPSec. Wierd eh.


So my network is 192.168.1.0/26 and on the other side of a tunnel is
192.168.2.0/26. On the remote gateway (m0n0 of course) i have some NAT
rules which puch services through to 192.168.2.2. These include ssh,
http, https etc etc. When I try to ssh through the IPSec tunnel to say
192.168.2.10, i see some packet logs on my end which shows me that the
remote mono box is trying to NAT those packets to 192.168.2.2. For some
reason it fails (which is odd since I can ssh to the external ip of the
mono box and I'm good. My packet filter rules are all correct, and if I
_remove_ those DNAT rules and try then to ssh to any host on the other
side of the tunnel it works fine.

This also affect being able to access the web interface via the IPSec
tunnel. Obviously people want to be able to run webservers behind thier
m0n0 gateway, and may need to access the web interface (since there's no
SSH to m0n0) to make config changes.

here are some packet logs when trying to access the remote m0n0 boxes'
web interface via the IPSec tunnel.

my IP == 192.168.1.5
the remote mono internal ip == 192.168.2.1
https is setup as a Inbound NAT rule on the remote mono box to go to
192.168.2.2 and these logs are from the LOCAL m0n0 box (192.168.1.1)

Oct 21 11:09:33 m0n0wall ipmon[71]: 11:09:33.183888 sis0 @0:11 B
192.168.2.2,443 -> 192.168.1.5,33638 PR tcp len 20 40 -AR IN 
Oct 21 11:09:36 m0n0wall ipmon[71]: 11:09:36.182348 sis0 @0:11 B
192.168.2.2,443 -> 192.168.1.5,33638 PR tcp len 20 40 -AR IN 
Oct 21 11:09:42 m0n0wall ipmon[71]: 11:09:42.182511 sis0 @0:11 B
192.168.2.2,443 -> 192.168.1.5,33638 PR tcp len 20 40 -AR IN