[Openswan Users] Help:NAT and superfreeswan on the same
gateway!!!
Alexander Samad
alex at samad.com.au
Fri Feb 20 10:54:41 CET 2004
You have to remove the NAT'ing, because you have stated that the subnet
exported from gateway1 is 100.0.0.0/24, when you SNAT that packet looks
like it comes from 101.128.32.2 and thus doesn't go down the ipsec
tunnel !
so some thing like
ipables -t mangle -s 100.0.0.0/24 -d 10.0.0.0/24 -o ipsec+ -j ACCEPT
A
On Thu, Feb 19, 2004 at 05:44:49PM +0800, swcims wrote:
> Hi,all
> I tried to set up Ipsec tunnel with two super-fs gateway, it seemed that IPSEC SA established,but only one lan side can ping to another lan side through the tunnel.I was completely confused by this config.I think, the main cause would be that super-fs gateway1 enabled NAT.
> ----------- -------------------------- ------------------------- ------------------- ----------
> |100.0.0.3|-----|100.0.0.1 101.128.32.2|------|101.128.32.1 101.32.0.1|----|101.32.0.5 10.0.0.1|----|10.0.0.2 |
> ----------- --(eth0)-------(eth1)---- --(eth0)-------(eth1)---- --(eth0)---(eth1)---- ----------
> PC1 super-fs gateway1 gateway-middle super-fs gateway2 PC2
>
> super-fs gateway1 worked as a soho router,so need to enable NAT:"iptables -t nat -A POSTROUTING -s 100.0.0.0/24 -j SNAT --to 101.128.32.2" ,and set /proc/sys/net/ipv4/ip_forward to "1".And the ipsec.conf is:
> ...
> left=101.128.32.2
> leftsubnet=100.0.0.0/24
> leftnexthop=101.128.32.1
> right=101.32.0.5
> rightsubnet=10.0.0.0/24
> .....
> After start ipsec,super-freeswan would say:IPsec SA established.
> Of course,PC2 can ping PC1,and I can capture the ESP packets in the machine "gateway-middle". So,from 10.0.0.0/24 to 100.0.0.0/24,tunnel is fine.
> But,PC1 cannot ping PC2,and I cannot capture any packets in gateway-middle.It seemed that super-fs gateway1 drop the packet which is from 100.0.0.0/24 to 10.0.0.0/24.Strange!
> Is it because I enable NAT on super-fs gateway1 ?But NAT is neccessary.I also enable nat-traversal,but the result was the same as before.I am not sure that there is anything with nat-traversal,for NAT and freeswan are on the same gateway.
> How to cooperate super-fs with NAT? Any replay is highly appreciated!Thanks a lot!
>
> ????
> Regards.
>
>
> ????????????????swcims
> ????????????????swcims at 163.com
> ????????????????????2004-02-15
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20040220/036507be/attachment.bin
More information about the Users
mailing list