[Openswan dev] Re: [Users] routing problem with NAT?

Henrik Nordstrom hno at marasystems.com
Wed Mar 17 10:56:21 CET 2004

On Tue, 16 Mar 2004, Nate Carlson wrote:

> AFAIK, it's to allow roadwarriors behind a NAT gateway to connect to a 
> IPSec server, and the networks behind it. You use the Xsubnet= to specify 
> what internal IP address the NAT'd box is using, and I'm fairly certain 
> there's not a way to also have a subnet behind it, without doing something 
> exotic like gre tunnels over the ipsec link.

It works for static subnets behind road-warriors behind NAT, at least in
Super-FreeS/WAN 1.99.8 (which is the last version we verified NAT-T 
operation in).

What is not allowed is dynamic road warrior hosts (without a static 
local subnet) behind NAT without using the local address assignment 
extension. This due to security implications on the addressing of NAT.

A IPSec tunnel is a tunnel. You can route anything acceptable to your
IPSec policy over an IPSec tunnel. There is no need to look into GRE over
IPSec unless you want to route traffic not acceptabe by your IPSec policy
over the IPSec tunnel.


More information about the Dev mailing list