[Openswan Users] [Fwd: Openswan and NAT on "both ends"]

Nate Carlson natecars at natecarlson.com
Thu May 13 10:16:41 CEST 2004 

On Wed, 12 May 2004, Mark Frost wrote:
> Hello.  I'm trying to get the following setup working using Openswan:
>                           Internet
>                             ||
>                             ||
>         ========================================
>        ||                                     ||
>        ||                                     ||
> OpenSwan 2.1.2rc4                        NexLan router
>     gateway                                   |
>        |                                      |
>        |                                      |
>        ----------------------------------------

Both of these boxes have public IP's, I'm assuming? IE, they are both
connected directly to the internet (public IP), and to your internal
network?

> I'm not sure how much sense this drawing makes but essentially, there
> are two paths from the Internet into the 172.16.0.0/16 subnet for
> redundancy.  I believe that the NAT is actually being done only on the
> NexLan router side.  That is, the OpenSwan gateway does not do NAT, but
> rather has an external and an internal ethernet interface.  I'm also not
> positive, but I believe that hosts on the 172.16.0.0 subnet have a
> default route that goes back through the NexLan box.

Sounds about right for my assumptions above.

> The important thing here is that the networks on both ends are NAT'd.  
> Is this even possible?  I've brought up a connection from a linux host
> on the roadwarrior network side, but if I try to ping any host on the
> 172.16.0.0 subnet (with the exception of the internal interface on the
> gateway), pings don't go through and I'm suspecting a routing issue.

Sure. It makes things difficult if your Openswan box doesn't have a public 
IP, but in your case, that's not true.

> I saw something that seemed to say that L2TP might be the only way to
> solve this, however, it kinda looks like L2TP is only for Windows boxes.  
> Or at least, I haven't seen information about running L2TP with a Linux
> client.  I have both Linux and Windows clients on the roadwarrior

The basic problem you're running into is that the traffic comes in from 
your 192.168.1.0/24 network via the Openswan box (IPSec), but it tries to 
exit back out your default gateway. A couple ways you could fix this:

1) Get rid of the Nexlan router; make your Openswan box the default route 
back to the 'net. This is probably the easiest.

2) If your roadwarrior's public IP is reasonably static, add a static 
route for it in the Nexlan box via your Openswan gateway.

3) Use L2TP, DHCP-over-IPSec, or some other method that will give your
roadwarrior an IP on the internal network. There is a l2tp client for
Linux, but I'm not sure if it can be made to work with Openswan - anyone
else want to comment on that? Ditto for the DHCP-over-IPSec client. You
could also do NAT hacks (ie, set up a separate internal subnet that's
routed to your Openswan box via the Nexlan, and set up NAT on the Openswan
box to make all traffic coming in from Roadwarriors appear from IP's on
that networks. Requires some _updown hackery.)

In other words, it's certainly possible; just depends on how much work you 
want to do.  :)

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------

More information about the Users mailing list