[Openswan Users] Help:NAT and superfreeswan on the same
gateway!!!
Paul Wouters
paul at xtdnet.nl
Thu Feb 19 23:53:02 CET 2004
On Thu, 19 Feb 2004, swcims wrote:
> Hi,all
> I tried to set up Ipsec tunnel with two super-fs gateway, it seemed that IPSEC SA established,but only one lan side can ping to another lan side through the tunnel.I was completely confused by this config.I think, the main cause would be that super-fs gateway1 enabled NAT.
> ----------- -------------------------- ------------------------- ------------------- ----------
> |100.0.0.3|-----|100.0.0.1 101.128.32.2|------|101.128.32.1 101.32.0.1|----|101.32.0.5 10.0.0.1|----|10.0.0.2 |
> ----------- --(eth0)-------(eth1)---- --(eth0)-------(eth1)---- --(eth0)---(eth1)---- ----------
> PC1 super-fs gateway1 gateway-middle super-fs gateway2 PC2
>
> super-fs gateway1 worked as a soho router,so need to enable NAT:"iptables -t nat -A POSTROUTING -s 100.0.0.0/24 -j SNAT --to 101.128.32.2" ,and set /proc/sys/net/ipv4/ip_forward to "1".And the ipsec.conf is:
As stated before, you MUST EXCLUDE packets which destination is an IPSEC tunnel from NAT.
So you must add -d \! 10.0.0.0/24 to your NAT rule.
Paul
--
"In discussing women, we discovered that using electrical terminology-
impedance, reluctance, resistance- that we had a deeper understanding of
the situation"
--- Richard Feynman
More information about the Users
mailing list