[Openswan Users] Help:NAT and superfreeswan on the same
gateway!!!
Paul Wouters
paul at xtdnet.nl
Sun Feb 15 17:39:31 CET 2004
On Mon, 16 Feb 2004, swcims wrote:
> Thank you very much!I got it through!
> So,from what you told me,I think that there is nothing with NAT-T.Is that right?
nat-t is only needed when NAT happens on devices you dont control. such as in this setup:
subnet1---SecurityGW1--othernetwork---NAT-router---internet----othernetworj-SEcurityGW2-subnet2
Now the nat router will break the ipsec packets. But you seem to have:
subnet1---SecurityGW1-----internet-----SEcurityGW2-subnet2
Where the NAT happens on your own boxes. In which case you can exclude NT for the IPsec packets.
> On the other hand,it is so troublesome if I must exclude NATing many subnets when I want to set up multiple tunnels.
> Any suggestion?Thanks a lot!
Example :
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 100.0.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.1.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -j SNAT --to 101.128.32.2
So packets to 100.0.0.0/24 and 192.168.1.0/24 and 10.1.2.0/24 do not get NAT'ed,
all the other ones (outside IPsec tunnels) will get NATed.
Paul
More information about the Users
mailing list