Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Re: [suse-security] VPN and SuSEfirewall2
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Thu, 27 Apr 2006 09:12:54 +0200
  • Message-id: <20060427071254.GA16610@xxxxxxx>
Jonathan Baxter wrote:
> [...]
> But nothing works from left-to right; neither the SuSE router box itself, nor

The router itself cannot reach the subnet on the other side if you
use it's external IP as source. You'd need a second tunnel for that.

> from any machines on the 192.168.1.0 subnet behind it can see any machines on
> the 192.168.200.0 subnet at the other end of the tunnel.
> [...]
> I am running SuSEfirewall2 on the SuSE router. I have explicitly enabled
> forwarding between the two subnets by setting FW_FORWARD
> in /etc/sysconfig/SuSEfirewall2:
>
> FW_FORWARD="192.168.1.0/24,192.168.200.0/24,,,ipsec \
> 192.168.200.0/24,192.168.1.0/24,,,ipsec"

Looks correct.

> I have explicitly disabled NAT of packets between the two subnets by adding
> the following line to the fw_custom_before_port_handling() section
> of /etc/sysconfig/scripts/SuSEfirewall2-custom:
>
> iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \!
> 192.168.200.0/24 -j MASQUERADE

Packets to 192.168.200.0/24 do not match that rule and fall
through to the rule SuSEfirewall2 creates I guess.

Try
FW_MASQ_NETS="0/0,!192.168.200.0/24"

cu
Ludwig

--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/

< Previous Next >
References