Project

General

Profile

Issue #3317

Two directions potential NAT conflict in site to site mode

Added by Tom Hsiung 8 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.6.2
Resolution:

Description

As shown in the photo, site 2 site mode could be initialized from each side.

Goal: to use iptables to custom the port for IKE and ESP connection.

So, two process initiated from either side are drew below. (from home to remote, or from remote to home).

Both direction of traffic flow should be edited by iptables rules (SNAT plus DNAT), so that in the middle (Internet) source and destine ports are customized.

My problem is that can these two sets (those modifying traffic from home side to remote side, and those modifying from remote side to home side) of iptables rules exist together?

I think it is not likely.

Because in the left part of the upper diagram, the SNAT rule would change the destine port from 4500 to 50501, so that the DNAT "getting back" function in left part of the lower diagram will not work. As all packets from 4500 port could be assigned a new source port of 50501. Correct?

IMG_0470.jpeg (1020 KB) IMG_0470.jpeg Tom Hsiung, 21.01.2020 10:59

Also available in: Atom PDF