[Openswan dev] Re: [Users] routing problem with NAT?

Nate Carlson natecars at natecarlson.com
Wed Mar 17 08:44:57 CET 2004

On Wed, 17 Mar 2004, Henrik Nordstrom wrote:
> It works for static subnets behind road-warriors behind NAT, at least in
> Super-FreeS/WAN 1.99.8 (which is the last version we verified NAT-T
> operation in).
> What is not allowed is dynamic road warrior hosts (without a static
> local subnet) behind NAT without using the local address assignment
> extension. This due to security implications on the addressing of NAT.

Hmm, what's the proper way to configure this? On the VPN gateway, do you
just define rightsubnetwithin/%vhost to include the subnet that you want
to route to on the remote end?

I tried to get this to work many moons ago, and was unable to.

> A IPSec tunnel is a tunnel. You can route anything acceptable to your
> IPSec policy over an IPSec tunnel. There is no need to look into GRE
> over IPSec unless you want to route traffic not acceptabe by your IPSec
> policy over the IPSec tunnel.

Yeah; I just wasn't able to get an IPSec policy that was acceptable for
it.  :)

| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |

More information about the Dev mailing list