Power By 专否社区

Forwarding traffic from IPsec tunnel

Go To StackoverFlow.com

-2

Setup: IPsec tunnel between Router (192.168.50.1) and linux host computer (192.168.50.10).

i want to forward the traffic (that arrived through the tunnel to the host compouter) from the host computer to the outer network.

setting ip_forward=1 didn't help

any ideas?

2012-04-05 18:40
by user1316037

0

Are you sure it's not an routability issue? Both sides of your tunnel are RFC-1918 address space (so called private address space), which would not be understood by host computers in the "outer network". You may need to NAT the traffic at the router.

If you don't think that's the issue, try dumping the traffic (with tcpdump) to see what is actually moving on the wire.

2012-04-05 19:25
by user590028
>
  • The traffic must pass through the host computer in order to reach to the public network.
  • i have another interface with public IP (10.71.X.X) on the host computer, but i didn't succeed FORWARDING the traffic from the tunnel to that interface
    • - user1316037 2012-04-05 19:29
    Sure...but you can't ship out traffic with the source IP of 192.168/16 to the public network. This is reserved address space, and guaranteed by the "powers that be" to never be assigned -- and therefore never part of an ASN. If your reference to "public network" means the Internet, you are going to have to NAT the traffic - user590028 2012-04-05 19:32
    Hmm..you cannot have a PUBLIC-IP of 10.X.X.X, 10/8 is another RFC-1918 address, and is considered for internal LAN use only - user590028 2012-04-05 19:34
    Might want to check out http://www.faqs.org/rfcs/rfc1918.htm - user590028 2012-04-05 19:35
    >
  • by public network, i mean public company network, not the internet.
  • i want to NAT the traffic, what rule should i apply to do that
    • - user1316037 2012-04-05 19:39
    Well, that's another kettle of fish. If your corporate network has the correct routing entries (and know's how to reach 192.168.50.x/24), then that my answers to not address your underlying problem. But you will want to make sure to check their routing tables. Also, the TCPDUMP command will instantly tell you what's happening at the wire level. As for NAT'ing, that may depend on the particulars of your linux flavor. Check out this link as a starter http://www.revsys.com/writings/quicktips/nat.htm - user590028 2012-04-05 19:44
    Ads