[Openswan Users] Nat-t Openswan
Paul Wouters
paul at xelerance.com
Mon Apr 19 22:32:10 CEST 2004
On Mon, 19 Apr 2004, Filipe Mota wrote:
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
You must exclude packets with destination through a tunnel:
Assuming 192.168.39.0/24 is one of the local parts of the
tunnel:
iptables -t nat -A POSTROUTING -o eth1 -j RETURN -d 192.168.39.0/24
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
This will skip MASQ for packets destined to be crypted.
> 192.168.39.0/24 LAN
> |
> 192.168.40.132 Client Freeswan
> |
> |
> 192.168.39.198
> | Firewall with nat
> 212.13.39.71
> |
> |
> INTERNET
> |
> |
> 212.13.39.72
> | Server Freeswan
> 192.168.39.1
> |
> |
> 192.168.39.0/24 LAN
You simply CAN NOT have the same IP range on both ends of the tunnel.
Where is 192.168.39.1 ? There are now two locations where these can be
found. This must be changed.
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.39.0/16,%v4:192.168.40.0/24 strictcrlpolicy=yes
You have an overlap here too, 192.168.39.0/16 and 192.168.40.0/24
You also need to say !%v4:192.168.39.0/16 to actually exclude that ip from
being considered a valid NAT range.
The idea of the virtual_private line is to dinstinguish between private IP
space LAN networks in use, versus the private IP space that might be used
be some NAT device. Obviously, just like you cannot have the same network
at both ends of a tunnel, you cannot establish a tunnel from a ADSL/home
NAT network with the same internal IP space range as the subnet at the remote
office LAN.
> leftsubnet=192.168.69.0/24
So you MUST exclude this range in the virtual_private range.
Paul
More information about the Users
mailing list