Для того, чтобы обеспечить возможность site to site ipsceс vpn через firewall на linux достаточно сделать snat/dnat для udp/500 и ip № 50?
например, схема сети такая
ipsecgate 1 и 2 не умеют NAT Traversal
настройки debgw1, debgw2 по аналогии
debgw1$ uname -r;cat
/etc/debian_version
2.6.26-2-686
5.0.6
debgw1# nano /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
## The primary network interface
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 1.1.1.2
netmask 255.255.255.252
gateway 1.1.1.1
post-up sysctl -w net.netfilter.nf_conntrack_generic_timeout=120
post-up sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=120
post-up sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=120
post-up sysctl -w net.ipv4.ip_local_port_range=16384 61000
post-up sysctl -w net.ipv4.tcp_keepalive_time=1800
post-up sysctl -w net.ipv4.tcp_fin_timeout=30
post-up sysctl -w net.ipv4.tcp_keepalive_probes=2
post-up sysctl -w net.ipv4.ip_forward=1
post-up iptables-restore -c < /var/ipt
post-down iptables-save -c > /var/ipt
## The secondary network interface
auto eth1
#iface eth1 inet dhcp
iface eth1 inet static
address 172.16.1.2
netmask 255.255.255.252
debgw1# nano /var/ipt
# Generated by iptables-save v1.4.2 on Sat Apr 23 19:59:00 2011
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Apr 23 19:59:00 2011
# Generated by iptables-save v1.4.2 on Sat Apr 23 19:59:00 2011
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Apr 23 19:59:00 2011
# Generated by iptables-save v1.4.2 on Sat Apr 23 19:59:00 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p esp -j DNAT --to-destination 172.16.1.2 -m comment --comment "IP/50"
-A PREROUTING -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination 172.16.1.2 -m comment --comment "ISAKMP"
-A POSTROUTING -s 172.16.1.2/32 -o eth0 -j SNAT --to-source 1.1.1.2
COMMIT
# Completed on Sat Apr 23 19:59:00 2011
# Generated by iptables-save v1.4.2 on Sat Apr 23 19:59:00 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -i ! lo -m addrtype --src-type LOCAL -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -s 2.2.2.2 -p ah -j ACCEPT
-A FORWARD -d 2.2.2.2 -p ah -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT
-A FORWARD -s 172.16.1.0/30 -i eth1 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Apr 23 19:59:00 2011
если NAT Traversal ipsecgate умеют, то все сводится к
debgw1# iptables-save -t nat
# Generated by iptables-save v1.4.2 on Sat Apr 23 19:59:00 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination 172.16.1.2
-A POSTROUTING -s 172.16.1.2/32 -o eth0 -j SNAT --to-source 1.1.1.2
COMMIT
# Completed on Sat Apr 23 19:59:00 2011
?