Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Jun 2012
Posts: 3
#1 (permalink)  
Old 06-12-2012, 02:19 PM
Default SNAT from one IPSec Tunnel to another

Hello, guys!

We have one task that cannot complete for past few days. We have Astaro Virtual Appliance with a lot of IPSec tunnels. At this task we manage only with two of them.

Astaro Internal Network: 192.168.12.0/24

IPSec1:
Local net: 192.168.12.0/24
Remote net: 192.168.50.0/23

IPSec2:
Local net: 192.168.12.0/24
Remote net: 172.21.8.0/23

We need to NAT traffic from 192.168.50.0/23 to 172.21.8.0/23 with ip 192.168.12.1.

I have added to IPSec1 network 172.21.8.0/23 as Local net to permit passing of these packets

After it, I created SNAT rule:
Traffic Source: 192.168.50.0/23
Traffic Service: Any
Traffic Destionation: 172.21.8.0/23
Type: SNAT
Source: 192.168.12.1
select Rule applies to IPSec packets

But I cannot see any translation while pinging or telneting.

For tests, I cloned this SNAT rule and changed Traffic Source to another local network on Astaro: 192.168.160.0/24.
All works correct with this network - 192.168.160.0/24 is NATed to 192.168.12.1 and after it is being sent to 172.21.8.0/23. I see nat translations on astaro:

Proto NATed Address Destination Address State
icmp 192.168.160.1 172.21.8.210

So, SNAT rule doesn't change its behavior despite "Rule applies to IPSec packets" is turned on or off.

Please help, it's very important for us.
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,123
#2 (permalink)  
Old 06-12-2012, 03:11 PM
Default

Hi, sysiq, and welcome to the User BB!

That looks liike it should work. It shouldn't make any difference, but what happens if you add 192.168.50.0/23 to remote networks in IPsec 2?

In any case, I think you should ask your reseller to open a support ticket with Astaro/Sophos containing your post above.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Jun 2012
Posts: 3
#3 (permalink)  
Old 06-12-2012, 03:30 PM
Default

Bob, we have a lot of networks and it is a little bit strange to give all of them to our customers. Customers should see one network, and they should see no networks anymore. Otherwise, our developers, support teams and other stuff should see all customers network.
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,123
#4 (permalink)  
Old 06-12-2012, 04:06 PM
Default

I agree, but that experiment might help us understand where the error is.

Do you have 'Strict Routing' selected for either or both IPsec tunnels?

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Jun 2012
Posts: 3
#5 (permalink)  
Old 06-12-2012, 05:31 PM
Default

No, strict routing is disabled due to manuals:
Quote:
Strict Routing: If strict routing is enabled, VPN routing is done according to source and destination IP address (instead of only destination IP address). In this case, only those packets exactly matching the VPN tunnel definition are routed into the VPN tunnel. As a consequence, you cannot use SNAT to add networks or hosts to the VPN tunnel, that are originally not part of the tunnel definition. On the other hand, without strict routing, you cannot have a mixed unencrypted/encrypted setup to the same network from different source addresses.
Shoud it be enabled?
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,123
#6 (permalink)  
Old 06-12-2012, 08:51 PM
Default

Everything sounds correct.

After Astaro/Sophos Support figures this out, please post the answer back here.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Reply

Tags
ipsec, nat

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 05:44 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.