[Openswan Users] Help:NAT and superfreeswan on the same gateway!!!

Alexander Samad alex at samad.com.au
Fri Feb 20 10:54:41 CET 2004

You have to remove the NAT'ing, because you have stated that the subnet
exported from gateway1 is, when you SNAT that packet looks
like it comes from and thus doesn't go down the ipsec
tunnel !

so some thing like

ipables -t mangle -s -d -o ipsec+ -j ACCEPT


On Thu, Feb 19, 2004 at 05:44:49PM +0800, swcims wrote:
> Hi,all
> 	I tried to set up Ipsec tunnel with two super-fs gateway, it seemed that IPSEC SA established,but only one lan side can ping to another lan side through the tunnel.I was completely confused by this config.I think, the main cause would be that super-fs gateway1 enabled NAT.
> -----------     --------------------------       -------------------------     -------------------       ----------
> ||-----||------||----||----| |
> -----------     --(eth0)-------(eth1)----       --(eth0)-------(eth1)----      --(eth0)---(eth1)----     ----------
> 	PC1              super-fs gateway1              gateway-middle                 super-fs gateway2        PC2
> 	super-fs gateway1 worked as a soho router,so need to enable NAT:"iptables -t nat -A POSTROUTING -s -j SNAT --to" ,and set /proc/sys/net/ipv4/ip_forward to "1".And the ipsec.conf is:
> ...
> left=
> leftsubnet=
> leftnexthop=
> right=
> rightsubnet=
> .....
> After start ipsec,super-freeswan would say:IPsec SA established.
> Of course,PC2 can ping PC1,and I can capture the ESP packets in the machine "gateway-middle". So,from to,tunnel is fine.
> But,PC1 cannot ping PC2,and I cannot capture any packets in gateway-middle.It seemed that super-fs gateway1 drop the packet which is from to!
> Is it because I enable NAT on super-fs gateway1 ?But NAT is neccessary.I also enable nat-traversal,but the result was the same as before.I am not sure that there is anything with nat-traversal,for NAT and freeswan are on the same gateway.
> How to cooperate super-fs with NAT? Any replay is highly appreciated!Thanks a lot!
> ????                          
> 	Regards.
> ????????????????swcims
> ????????????????swcims at 163.com
> ????????????????????2004-02-15

> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20040220/036507be/attachment.bin

More information about the Users mailing list