[Openswan Users] Help:NAT and superfreeswan on the same
gateway!!!
Alexander Samad
alex at samad.com.au
Mon Feb 16 07:51:41 CET 2004
One other thing NAT'ing of packet on a machine that is doing IPSEC on
the native stack (ie not klips) doesn't work, this is being addresses by
the netfilter team.
A
On Sun, Feb 15, 2004 at 05:02:49PM +0100, Paul Wouters wrote:
> On Sun, 15 Feb 2004, swcims wrote:
>
> > I tried to set up Ipsec tunnel with two super-fs gateway, it seemed that IPSEC SA established,but only one lan side can ping to another lan side through the tunnel.I was completely confused by this config.I think, the main cause would be that super-fs gateway1 enabled NAT.
> > ----------- -------------------------- ------------------------- ------------------- ----------
> > |100.0.0.3|-----|100.0.0.1 101.128.32.2|------|101.128.32.1 101.32.0.1|----|101.32.0.5 10.0.0.1|----|10.0.0.2 |
> > ----------- --(eth0)-------(eth1)---- --(eth0)-------(eth1)---- --(eth0)---(eth1)---- ----------
> > PC1 super-fs gateway1 gateway-middle super-fs gateway2 PC2
> >
> > super-fs gateway1 worked as a soho router,so need to enable NAT:"iptables -t nat -A POSTROUTING -s 100.0.0.0/24 -j SNAT --to 101.128.32.2" ,and set /proc/sys/net/ipv4/ip_forward to "1".And the ipsec.conf is:
>
> You need to exclude NATing to 10.0.0.0/24 (and 100.0.0.0/24 in the other direction). add -d \!10.0.0.0/24 to the above nat rule, and add the reverse
> for the other gateway, eg -d \! 100.0.0.0/24
>
> Paul
>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20040216/55772781/attachment.bin
More information about the Users
mailing list