<html><head><title>NAT behind IPSEC hateway (not NAT-T)</title>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-15">
</head>
<body>
<span style=" font-family:'Courier New'; font-size: 9pt;">Hello,<br>
<br>
I've searched for solution but have found nothing, that's why I am writing this mail.<br>
<br>
My setup:<br>
<br>
I have a local network 192.168.2.0/24 and the router running OpenWRT and having OpenSWAN. The router is at 192.168.2.1 and x.x.x.x (as external IP address). My router does NAT for the local network, translating internal addresses into router's externam IP. I have a site-to-site ipsec tunnel to a cisco router that is not under my control, the cisco's IP is a.a.a.a . Encryption domain consists of my external IP (x.x.x.x), a network b.b.b.0/24 and c.c.c.c (all these are public IP addresses). Now I am able to ping c.c.c.c and hosts from b.b.b.0/24 network from my router. The problem is that I cannot access c.c.c.c nor b.b.b.0/24 from my local network.<br>
<br>
I have tried to change routes, to make another chains and rules in iptables but nothing helped me.<br>
<br>
Can please someone give me at least a suggestion?<br>
<br>
Thank you.<br>
<br>
Now I'll try to put here all relevant configs:<br>
<br>
<br>
on the router br-lan is local network interface, eth1 - external public network interface<br>
<br>
ifconfig shows:<br>
<br>
br-lan Link encap:Ethernet HWaddr 00:11:22:33:44:56 <br>
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 <br>
....<br>
eth1 Link encap:Ethernet HWaddr 00:11:22:33:44:55 <br>
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.255.0 <br>
...<br>
ipsec0 Link encap:Ethernet HWaddr 00:11:22:33:44:55 <br>
inet addr:x.x.x.x Mask:255.255.255.0 <br>
...<br>
mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 <br>
inet addr:192.168.2.1 Mask:255.255.255.255 <br>
...<br>
<br>
<br>
============ begin ipsec.conf ================<br>
config setup<br>
plutodebug="control parsing"<br>
#I tried to comment the virtual_private but for no result<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<br>
nat_traversal=no<br>
oe=off<br>
protostack=auto<br>
<br>
conn vodafone<br>
type=tunnel<br>
left=x.x.x.x<br>
leftsubnet=x.x.x.x/32<br>
right=a.a.a.a<br>
authby=secret<br>
keyexchange=ike<br>
ike=aes128-sha1-modp1024<br>
ikelifetime=86400s<br>
auth=esp<br>
esp=aes128-sha1<br>
pfs=yes<br>
auto=start<br>
<br>
conn vodafone_sub1<br>
rightsubnet=b.b.b.0/24<br>
also=vodafone<br>
<br>
conn vodafone_sub2<br>
rightsubnet=c.c.c.c/32<br>
also=vodafone<br>
<br>
============ end ipsec.conf ================<br>
<br>
also, of course I have:<br>
<br>
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE<br>
<br>
my angle table shows like this:<br>
iptables -t mangle -n -L<br>
Chain PREROUTING (policy ACCEPT) <br>
target prot opt source destination <br>
IPSEC all -- 0.0.0.0/0 0.0.0.0/0 <br>
Chain INPUT (policy ACCEPT) <br>
target prot opt source destination <br>
Chain FORWARD (policy ACCEPT) <br>
target prot opt source destination <br>
Chain OUTPUT (policy ACCEPT) <br>
target prot opt source destination <br>
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500<br>
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4500<br>
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 <br>
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 <br>
IPSEC all -- 0.0.0.0/0 0.0.0.0/0 <br>
Chain POSTROUTING (policy ACCEPT) <br>
target prot opt source destination <br>
Chain IPSEC (2 references) <br>
target prot opt source destination <br>
NEW_IPSEC_CONN all -- 0.0.0.0/0 0.0.0.0/0 <br>
Chain NEW_IPSEC_CONN (1 references) <br>
target prot opt source destination <br>
MARK all -- 82.76.123.10 81.12.200.0/24 MARK set 0x80240000 <br>
MARK all -- 82.76.123.10 81.12.132.111 MARK set 0x80200000 <br>
<br>
<br>
routing tables:<br>
<br>
ip route show<br>
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 <br>
x.x.x.0/24 dev eth1 proto kernel scope link src x.x.x.x <br>
x.x.x.0/24 dev ipsec0 proto kernel scope link src x.x.x.x<br>
default via x.x.x.1 dev eth1 <br>
<br>
root@router:~# ip route show table 50<br>
default dev mast0 scope link <br>
<br>
root@router:~# ip rule show <br>
0: from all lookup local <br>
32765: from all fwmark 0x80000000/0x80000000 lookup 50<br>
32766: from all lookup main <br>
32767: from all lookup default <br>
<br>
<br>
root@router:~# ipsec --version <br>
Linux Openswan 2.6.28 (klips) <br>
See `ipsec --copyright' for copyright information. <br>
root@router:~# uname -a <br>
Linux router 2.6.32.16 #1 Wed Aug 25 15:20:15 PDT 2010 mips GNU/Linux<br>
root@router:~# iptables --version <br>
iptables v1.4.6 <br>
<br>
<br>
when I try to ping c.c.c.c from my internal network I can see packets passing br-lan and instead of goint to the tunnel they go thru eth1 (external interface).<br>
<br>
Any help would be appreciated. Thank you.<br>
<br>
<br>
<br>
<br>
<br>
---<br>
With best regards, Artiom Alin Kenibasov<br>
Si vis pacem para belum<br>
<<a href="mailto:eu@artiom.ro">eu@artiom.ro</a>></body>