<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
p.vspace, li.vspace, div.vspace
{margin-top:15.95pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hi<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I’m trying to set up a home IPSec VPN gateway with NAT
turned on, and allow road warrior to connect. The IKE exchange is done
successfully, but I can not get it pass ESP traffic. I wonder if my setup is
valid or even allowed.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>This is my setup:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> Linux
PC (road-warrior) uClinux
box (src 192.168.0.1)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> 192.168.2.33 ….
192.168.2.77 </span></font><font
size=2 face=Wingdings><span style='font-size:10.0pt;font-family:Wingdings'>ß</span></font><font
size=2 face=Wingdings><span style='font-size:10.0pt;font-family:Wingdings'>à</span></font><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> 192.168.0.0/24<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Both netfilters/iptables and openswan are running on the
same uClinux box. If I treat the client as having a fixed IP address, a set up
I call nat-to-host, I can get it work properly after fixing the iptables entry
following the instructions from openswan wiki. However, I have no idea how to
make it work in the case of road-warrior. Here is what confuses me:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>In order to do something like this<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<div style='mso-element:para-border-div;border:dotted blue 1.0pt;padding:0in 0in 0in 0in;
background:#CCCCFF'><pre style='background:#CCCCFF;border:none;padding:0in'><font
size=2 face="Courier New"><span style='font-size:10.0pt'># iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE<o:p></o:p></span></font></pre></div>
<p class=vspace><font size=3 face=Georgia><span style='font-size:12.0pt;
font-family:Georgia'>change it to something like: <o:p></o:p></span></font></p>
<div style='mso-element:para-border-div;border:dotted blue 1.0pt;padding:0in 0in 0in 0in;
background:#CCCCFF'><pre style='background:#CCCCFF;border:none;padding:0in'><font
size=2 face="Courier New"><span style='font-size:10.0pt'># iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d ! 172.16.0.0/24 -j MASQUERADE<o:p></o:p></span></font></pre></div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>It seems I need to know the IP address of the road-warrior
to exclude it from being masqueraded. But how to get the address in the case of
road-warrior? Do I have to turn off NAT if I want to support road-warrior?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Thanks<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Freeman<o:p></o:p></span></font></p>
</div>
</body>
</html>