We require IPSec tunnels to those customers, and we either take whatever configuration and hardware they give us or we simply won’t get a tunnel.ĭo you have a suggestion on how things should be restructured? We sadly have no say in either the topology nor address spaces. Those are the requirements of our customers. It’s not like we are content with how the network is structured. Here is a (german) thread about a similar problem, they also couldn’t get it to work: Įvent 160.x.y.z is public network, not private… I am currently reading into NETMAP, if that’s the correct solution for our problem. that would be even another network, for example 160.0.0.0/24.įROM (Green) NAT TO 172.0.0.1 (customer network) <- target machine 160.0.0.x Now, this “virtual” 172.0.0.0/29 isn’t even the target customer network. In IPFire, in the IPSec settings, we need to set “local subnet” to 172.0.0.0/29, but then it seems as if a route from 10.0.0.0/24 (GREEN) 172.0.0.0/29 is missing. Our current IPSec router, a Lancom device, allows us to configure that within the IPSec settings. However, the IPSec Router of the customer expects IPfire to behave as if the packets are coming from an IP within 172.0.0.0/29, lets say 172.0.0.1. We use private IPs in the subnet 10.0.0.0/24 for our office. So we’d need to NAT between GREEN and the target customer network. What is a “virtual” network? Aren’t they all quite virtual?īasically what I was trying to explain is that the customer IPSec tunnel expects a different IP than we have configured for our IPFire router. Thanks for reading, and thanks for potentially helping me out! How can I route traffic through an IPSec tunnel if the customer demands a different local subnet in the IPSec tunnel than we physically have in our network? I also tried several things with custom IPTables rules to SNAT the packets to the right IPs, but to no avail. The link does come up, but IPFire can’t route packets through it, traceroute tells me either “Target network not reachable” or “send not allowed”. The target IPSec device is a Cisco device. “Local subnet” MUST be the “virtual network”, or else the link doesn’t establish. Note that Local subnet is NOT our 10.0.0.0/24 office network. We have one customer, cutomer1 in the first image, who uses a “virtual transfer network” for the IPSec tunnel. My second question is, how does IPSec with a virtual network work in IPfire? So my question is “how can I redirect IPSec traffic from a specific IP addres / customer while IPFire is also handling IPSec itself?” That didn’t work either, the rules didn’t even get a hit when I looked in the iptables tab in the webUI. Iptables -t nat -A CUSTOMPOSTROUTING -o red0 -d Customer -j SNAT -to IPSec Router Iptables -t nat -A CUSTOMPREROUTING -i red0 -s Customer -j DNAT -to IPSec Router Then I tried adding custom IPTables rules: That didn’t work, the router couldn’t establish an ipsec link with a timeout error. Image (new users can only post one image…): Network RED -> redirect all to ipsec router (just to test) I tried this already in a test case, but it didn’t work.įirewall rule RED -> Red (firewall) allow all (just to test) I am thinking about a CUSTOMPREROUTING and CUSTOMPOSTROUTING rule in firewall.local to redirect traffic from Customer2 and Customer3 to the corresponding IPSec router.
First of all, is a constellation like the picture even possible? Can I add multiple distinctive IPSec routers behind a single IPFire, while IPFire itself is also handling IPSec tunnels? We need to do this, because some of our customers want to use their preconfigured hardware to establish IPSec tunnels.
0 kommentar(er)
