2

Scenario: 

INTERNET --- VPN-Server <----> ROUTER <----> Roadwarrior  <----> Subnet 
             132.1.1.1       192.168.2.1     192.168.2.50       176.168.10.0/24 
                                  |  
                              INTERNET

VPN-Server: CISCO
Roadwarrior: racoon on linux

I am trying to setup that scenario so that all INTERNET traffic from the Subnet 176.168.10.0/24 passes through the VPN-Server and not through the Router.

So far: I can connect to the VPN-Server through the Roadwarrior. Also all traffic generated on the roadwarrior passes through the VPN-Server to the internet. However the traffic from the Subnet as routed with the following command, passes through the Router in the internet:

iptables -t nat -A POSTROUTING -s 176.168.10.0/24 -j SNAT --to-source 192.168.2.50

Using the following command no traffic from the subnet is passing to the internet (neither through Router nor through VPN-Server):

iptables -t nat -A POSTROUTING -s 176.168.10.0/24 -j SNAT --to-source 132.1.2.2 (internal ip assigned to roadwarrior from VPN-Server)

Any ideas?

Roadwarrior: 

eth0   192.168.2.50
eth0:1 132.1.2.2
br0    176.168.10.1

ip route list
default via 192.168.2.1 dev eth0  src 132.1.2.2 
132.1.0.0/16 dev eth0  proto kernel  scope link  src 132.1.2.2 
132.1.1.1 via 192.168.2.1 dev eth0 
176.168.10.0/24 dev br0  proto kernel  scope link  src 176.168.10.1 
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.50
scitech
  • 21
  • 2

1 Answers1

2

I found it... The phase1-up.sh script contains at the end the following lines:

44 #
45 # XXX This is a workaround for Linux forward policies problem.
46 # Someone familiar with forward policies please fix this properly.
47 #
48 echo "
49 spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
50        -P fwd ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
51 " | setkey -c
52

This code has to be commented out, so that the forward policy doesn't get deleted. Then a simple 

iptables -t nat -A POSTROUTING -o $WAN_IP -j MASQUERADE

does the trick.

scitech
  • 21
  • 1