I have created an ipsec connection throu WAN 2 to an external company. This external company gave me an address family 10.255.42.0/24 and I have to NAT it to my local LAN (192.168.1.0/24). Then I have assigned an IP alias 10.255.42.254 to port 1. With this configuration I can ping the remote IP thru ipsec, but I can’t ping the remote machines from the PC on local LAN (green).
Can you help me to set the router so that traffic to remote machines is forwarded to Ipsec connection?
From the Screenshots I’m assuming you mean your NethServer is your Router with 4 NICs…
I use both IPsec and OpenVPN a lot, IPsec more for Site2Site and OpenVPN more for RoadWarriors…
Normally, NAT is NOT needed or used when doing VPN, so here is probably an issue.
It could be that the company on the other side is only allowing exactly ONE host on your end…
To overcome this limitation, you would need to use NAT. But as said, normally a site2site VPN is NOT done with NAT.
What you could try, is add a static route on your NethServer (Maybe also needed on your clients in the LAN…) for the target 10.255.42.0/24, pointing to the right Interface…
If there’s no route, the packet will land in the Internet, and your provider will throw away “Internal, private IPs” like 10.x.x.x, 192.168.x.x and 172.16.0.1-172.31.255.255…
The need of NAT is (probably) due to the fact the remote site receives connection from different locations (not only my company) and there is an high chance the same IP subnet is used by different companies.
I have set the a route to remote IP subnet and in fact from the router I can ping the remote site. But when I ping from My PC I get “Reply from 192.168.1.254: Destination host unreachable.”
NAT is evil?
I tried to add this function in a clean way through shorewall, but I failed. So I used the trick I always to: low level iptables commands.
/etc/shorewall/started is not a template and it is not included in the backup system, it is a file where you trigger commands after shorewall has been fully started