[Openswan dev] Re: [Users] routing problem with NAT?
Nate Carlson
natecars at natecarlson.com
Wed Mar 17 08:44:57 CET 2004
On Wed, 17 Mar 2004, Henrik Nordstrom wrote:
> It works for static subnets behind road-warriors behind NAT, at least in
> Super-FreeS/WAN 1.99.8 (which is the last version we verified NAT-T
> operation in).
>
> What is not allowed is dynamic road warrior hosts (without a static
> local subnet) behind NAT without using the local address assignment
> extension. This due to security implications on the addressing of NAT.
Hmm, what's the proper way to configure this? On the VPN gateway, do you
just define rightsubnetwithin/%vhost to include the subnet that you want
to route to on the remote end?
I tried to get this to work many moons ago, and was unable to.
> A IPSec tunnel is a tunnel. You can route anything acceptable to your
> IPSec policy over an IPSec tunnel. There is no need to look into GRE
> over IPSec unless you want to route traffic not acceptabe by your IPSec
> policy over the IPSec tunnel.
Yeah; I just wasn't able to get an IPSec policy that was acceptable for
it. :)
------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------
More information about the Dev
mailing list