Hi,
I recently installed FreeS/Wan 1.99 (with x509 patches and kernel 2.4.20-18.7) in order to create an IPSEC VPN between 2 SME Servers 6.0 (SG & PSG), and it seems to work (though minor problems remain).
What I really want to do is to add, on each side, a SME Server 6.0 (SG or PSG) between the local SME and Internet, to achieve a kind of DMZ, without needing an extra third NIC.
Local_Network_1 ----- SME_local_1 ----- SME_DMZ_1 -----| Internet |----- SME_DMZ_2 ----- SME_local_2 ----- Local_Network_2
192.168.2.0/24 192.168.12.0/24
int: 192.168.2.1 int: 192.168.12.1
out: 192.168.1.2 out: 192.168.11.2
int: 192.168.1.1 int: 192.168.11.1
out: xxx.xxx.xxx.xxx out: yyy.yyy.yyy.yyy
The goal is to VPN between Local_Network_1 (192.168.2.0/24) and Local_Network_2 (192.168.12.0/24).
As it seems logical to NOT install IPSEC on SME_DMZ_1 or 2, I have to forward (without NATing, ie without Masquerading) from SME_DMZ_1(2) to SME_local_1(2) :
- UDP port 500
- IP proto 50 (ESP)
- IP proto 51 (AH)
This would allow me to get, on SME_local_1(2), the public internet IP xxx.xxx.xxx.xxx (yyy.yyy.yyy.yyy) instead of 192.168.1.2 (192.168.11.2).
I modified masq config file (templates customization will come later) on SME_DMZ_1(2), with adding :
/sbin/iptables -A INPUT -p udp --sport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p 50 -j ACCEPT
/sbin/iptables -A INPUT -p 51 -j ACCEPT
but I don't know how to transparently redirect to SME_local_1(2), in order to get the real internet public IP xxx.xxx.xxx.xxx (yyy.yyy.yyy.yyy).
Does someone have an idea on how to achieve this ?
Thanks in advance,
Erika
0 Replies
637 Views