[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

vpn ipsec + port forwarding



Dear all,
I would like to ask if someone could point me out to a solution for
problem that is fooling me from some days.
This is my situation:

--- NET 192.168.1.0/24 ---/MULTIPLE HOST
             |
_______|___________
| LAN 192.168.1.1       |
|     --- VPN GW ----     |
| WAN 192.168.100.7  |
|__________________|
           |
           |
           |
___________________________________
|       ETH1 192.168.100.2                        |
|                 --- SERVER ---                       |
|   ETH0 10.0.0.1 + TAP0 192.168.2.38    |
|___________________________________|
           |
           |
__________
| *10.0.0.2* |
| --- PC ---   |
|_________|

On SERVER side I have a port forwarding on tcp 80 to 10.0.0.2, so from
eth1 I can reach PC on 192.168.100.2:80 and this is working fine.
As a new upgrade to my server I added a vpn connection from SERVER to
NET 192.168.1.0 behind VPN GW, this also is working fine and host on
192.168.1.0 net can reach SERVER on 192.168.2.38 and vice versa. The
problem is that port forwarding is not working on vpn, so if I try to
reach PC from 192.168.1.x to 192.168.2.38:80 it fail.

The vpn client used on SERVER is ShrewSoft, he bring up tap0 interface
when vpn is established, anyway tcpdump show packet flowing only on
eth1 (type ESP).

This is my iptables, really stripped down:

# Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012
*mangle
:PREROUTING ACCEPT [2107490:2462265619]
:INPUT ACCEPT [2006646:2354121292]
:FORWARD ACCEPT [100696:108135052]
:OUTPUT ACCEPT [1234102:150431085]
:POSTROUTING ACCEPT [1334795:258565885]
COMMIT
# Completed on Wed Mar 28 15:17:11 2012
# Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012
*nat
:PREROUTING ACCEPT [8148:633084]
:POSTROUTING ACCEPT [798:50506]
:OUTPUT ACCEPT [759:47902]
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.254.254.2:80
COMMIT
# Completed on Wed Mar 28 15:17:11 2012
# Generated by iptables-save v1.4.8 on Wed Mar 28 15:17:11 2012
*filter
:INPUT ACCEPT [2006634:2354120173]
:FORWARD ACCEPT [100696:108135052]
:OUTPUT ACCEPT [1234099:150430833]
COMMIT
# Completed on Wed Mar 28 15:17:11 2012


Any help will be very appreciated

Thank you


Reply to: