This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN though a NATed Address

Hi Toghether

i've got a bit a complicated setup. one of our partners like to have our traffic NATed and VPNed though one of their Address.

setup is as following:

[FONT="Courier New"]
Our Phys IP: 212.249.30.114
their phys IP: 212.249.30.113
their gateway: 212.249.30.113
their VPN GW: 212.190.80.140
their server: 212.190.80.137

our server: 212.55.190.140 (fw interface is 212.55.190.129)
our 'bogus' IP assigned from our partner: 195.129.120.33
[/FONT]

since this is a dedicated route to them (we have another ISP with default route) i just added static routes to the whole 212.190.80.0/24 setup. Physical Setup and logical setup works fine. i can reach their VPN GW and server as expected.

but they want to have our traffic encrypted since we're using a plaintext application. and in order to route our traffic back to us they want us to send them our traffic NATed through our bogus IP

the VPN setup looks like this and comes up as expected:

[FONT="Courier New"]
195.129.120.33--212.249.30.114212.190.80.140---212.190.80.137
(bogus IP)-----(our Iface)(their VPN)------(des.srv)[/FONT]

now so that our server can reach their server through the VPN i added a NAT rule which say's:
[FONT="Courier New"]From: 212.55.190.140 Service ALL
Dest.: 212.190.80.137
SNAT: 195.129.120.33
DNAT: None
Service Tranlation: None[/FONT]

which should translate the SourceIP 212.55.190.140 to our bogusip, 195.129.120.33.
this works fine. but when i do a traceroute from our server is see too many hops between.

what i expected to see:
[FONT="Courier New"]1 - 212.55.190.129 (our Firewall)
2 - 212.190.80.137 (their server)[/FONT]

what i see:
[FONT="Courier New"]1 - 212.55.190.129 (our Firewall)
2 - 212.249.30.113 (their gateway)
3 - some router
4 - some router
5 - some router
6 - some router
7 - timeout
8 - timeout
9 - timeout
...[/FONT]

so. i expected to have max 3 hosts since we're going through the tunnel and the TTL shouldn be decreased since my packets arent altered between the two VPN endpoints.
but what i actually see is the complete route with every router between our and their VPN endpoints.

so my concrete question:
could it be that the VPN rule takes place before the NAT rule?
The VPN sees that the packet doesn't match the parameters for routing this packet though the VPN and give's it further. then the NAT rule is applied and the packet is sent as usual plain out to the interface.

when yes, how can i force that our server's packets are NATed BEFORE the VPN, an then send through the VPN?
changing our server's IP address is not an option since we running there a complex setup as well.

any help would be appreciated

cheers
josh

This thread was automatically locked due to age.

Parents

0 Krischeu over 19 years ago

i am using vpn-tunnel to connect some networks together.
Here was no nat configured. there were no need to do so.
the vpn/router is doing all for me.
my internal networks:
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Krischeu over 19 years ago

i am using vpn-tunnel to connect some networks together.
Here was no nat configured. there were no need to do so.
the vpn/router is doing all for me.
my internal networks:
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 maldex over 19 years ago in reply to Krischeu

yeah, i've a couple of Astaro's linked together with VPN. it's just that easy with astaro [:)]

i used to do similar setups on SonicWall, and there you got a page just concerning NAT for this tunnel....

according to astaro internals, the VPN rules do take first place, and then NAT. so it's impossible to do what we want to do.

does anyone have an alternative idea how we can solve this without using a second device?

cheers
josh
Cancel
Vote Up 0 Vote Down

Cancel
0 maldex over 19 years ago in reply to maldex

just for the records: got it

RTFM makes the life easier sometimes:

according to the Tunnel-help
[FONT="Arial"]Strict Routing: If strict routing is enabled, then VPN routing is done according to source and destination IP address (instead of only destination IP address). In this case, only those packets exactly matching the VPN tunnel definition are routed into the VPN tunnel. As a consequence, you cannot use SNAT to add networks or hosts to the VPN tunnel, that are originally not part of the tunnel definition. On the other hand, without strict routing, you cannot have a mixed unencrypted/encrypted setup to the same network from different source addresses. Strict routing can only be disabled for Standard IPSec connections. For all other connections, strict routing is automatically selected. [/FONT]

in my case, the originally host is NOT part of the tunnel description, but becomes it through NAT.

so a disabled strict routing and now it works. when i do tracerouting i got this...as expected:

[FONT="Courier New"]traceroute to 212.190.80.137 (212.190.80.137), 30 hops max, 38 byte packets
1  212.55.190.129  0.253 ms  0.109 ms  0.117 ms
2  * * *
3  212.190.80.137  21.200 ms  20.969 ms  20.976 ms[/FONT]

juhuuu

cheers
josh
Cancel
Vote Up 0 Vote Down

Cancel