| Author |
Message |
Wolfgang Kueter
Guest
|
 Posted:
Wed Nov 23, 2005 5:21 pm Post subject:
Re: Connection to SonicWall VPN through Linux IPTABLES Firew |
|
|
Am Tue, 22 Nov 2005 16:27:01 -0800 schrieb ajkessel:
| Quote: | Those are not really helpful suggestions.
|
Terminating an IPSeC Tunnel on a public routable IP thus avoiding NAT
traversal is always a step into right direction. If for whatever reason
you can't follow that general advice it is a pity for you that will often
result in long time to get such a setup running.
| Quote: | Moreover, corporate policy would prohibit the arrangement you suggest.
|
Well, actually I'm a bit uncertain about your setup because you never
made clear, so I'll ask to avoid confusion.
Do we have something like
a)
corporate side your side
LanB LanC
LanA---sonicwall---internet---Linux---------sonicwall------PC_2
| |
+---PC_1 +--PC_3
Sample Adresses:
LanA: 192.168.0.0/24
LanB: 192.168.1.0/24
LanC: 192.168.2.0/24
with
Linux eth0 aaa.bbb.ccc.ddd (external, public, routable)
Linux eth1 192.168.1.1
PC_1: 192.168.1.3
sonicwall Gateway: 192.168.1.2 (external, private, non routable)
sonicwall Gateway: 192.168.2.1 (internal, private, non routable)
PC_2: 192.168.2.2
PC_3: 192.168.2.3
and you want the Tunnel to be built by a sonicwall gateway (external
IP assumed to be 192.168.1.2) on your side between the networks
192.168.0.0/24 and 192.168.2.0/24?
OR
b)
Does some computer in your network run some sonicwall VPN client software
and the setup looks like this:
corporate side your side
LanB
LanA---sonicwall---internet---Linux---PC runing sonicwall VPN-client SW
Sample Adresses:
LanA: 192.168.0.0/24
LanB: 192.168.1.0/24
with:
Linux eth0 aaa.bbb.ccc.ddd (external, public, routable)
Linux eth1 192.168.1.1
PC runing sonicwall VPN-client SW: 192.168.1.2
and you want the tunnel to be created between the single PC and the
gateway on the other side?
| Quote: |
When I was using a black box DSL router, the NAT traversal worked fine
with no special configuration. With netfilters, packets are being
dropped in between mangle PREROUTING and nat PREROUTING even though the
connection shows up as tracked under /proc/net/ip_conntrack.
|
Using the mangle table is seldom if ever neccessary and in most cases does
more harm than good.
The first thing what you'll do is to give me details about your setup (I
did already most of your homework, for some ASCII drawings see above).
After that tell me where to send the invoice, give me root access to that
Linux box and approximately 30 minutes, OK, maybe I might need 1 hour.
While setup b will certainly be not much fun setup b will even be
be more difficult ...
hourly rate upon request.
Wolfgang |
|
| Back to top |
|
 |
Wolfgang Kueter
Guest
|
| Posted:
Wed Nov 23, 2005 5:21 pm Post subject:
Re: Connection to SonicWall VPN through Linux IPTABLES Firew |
|
|
Am Wed, 23 Nov 2005 08:20:56 -0800 schrieb ajkessel:
| Quote: | I've spoken with some very knowledgeable and helpful people who have
helped me isolate the problem to the packets disappearing before they
enter the nat table but haven't been able to figure out why. I'm
hoping to figure out the next step.
|
Well, OK, have fun, as long as the sonicwall client does standard NAT-T
(actually I'd not call such crap like NAT-T 'standard') I need about
15 minutes to set that up.
You need a little longer ...
Wolfgang |
|
| Back to top |
|
|
Guest
|
| Posted:
Wed Nov 23, 2005 5:21 pm Post subject:
Re: Connection to SonicWall VPN through Linux IPTABLES Firew |
|
|
| Quote: | b)
Does some computer in your network run some sonicwall VPN client software
and the setup looks like this:
corporate side your side
LanB
LanA---sonicwall---internet---Linux---PC runing sonicwall VPN-client SW
|
That is my set-up, as I indicated in Nov 2, 9:47 am posting. There is
only one Windows client, at a static NAT address, in the LAN behind the
Linux NAT box, that needs to connect with the SonicWall server on the
corporate side.
| Quote: | Using the mangle table is seldom if ever neccessary and in most cases does
more harm than good.
|
I was using the mangle table to log packets, nothing else. I have
established, with tcpdump and a LOG target in the mangle table, that
packets successfully go from the home client to the NAT box on the
Internet, then from the NAT box to the corporate server; and then are
received back from the corporate server to the NAT box, but disappear
somewhere in between mangle PREROUTING and the nat table. They are
never sent out again on the inward facing ethernet interface. I don't
see how logging in the mangle table does "more harm than good."
| Quote: | While setup b will certainly be not much fun setup b will even be
be more difficult ...
|
I'm not sure which setup you mean is more difficult?
| Quote: | After that tell me where to send the invoice, give me root access to that
Linux box and approximately 30 minutes, OK, maybe I might need 1 hour.
hourly rate upon request
|
I think you're missing the point. I am trying to learn something about
netfilters/iptables and packet routing. If I just wanted a solution, I
would put my Buffalo router back in place because it was working fine.
I posted to this newsgroup and the netfilters email list to try to work
out the problem so I have a better understanding of how this stuff
works and I can help others for free in the future (see, e.g.,
<http://adam.rosi-kessel.org/linux>.)
I've spoken with some very knowledgeable and helpful people who have
helped me isolate the problem to the packets disappearing before they
enter the nat table but haven't been able to figure out why. I'm
hoping to figure out the next step. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in