[Openswan Users] [Openswan and NAT on "both ends"]

Mark Frost mfrost at westnet.com
Fri May 14 00:55:04 CEST 2004 


Nate Carlson wrote:

>On Wed, 12 May 2004, Mark Frost wrote:
>  
>
>>Hello.  I'm trying to get the following setup working using Openswan:
>>                          Internet
>>                            ||
>>                            ||
>>        ========================================
>>       ||                                     ||
>>       ||                                     ||
>>OpenSwan 2.1.2rc4                        NexLan router
>>    gateway                                   |
>>       |                                      |
>>       |                                      |
>>       ----------------------------------------
>>    
>>
>
>Both of these boxes have public IP's, I'm assuming? IE, they are both
>connected directly to the internet (public IP), and to your internal
>network?
>
>  
>

Yes, sorry.  Both have public addresses on the Internet side.  I think I 
did not represent the connection entirely appropriately, however.  There 
are 2 DSL lines both of which come into the NexLan router. The Openswan 
box hangs off the Nexlan router, but is on the "external side" if that 
makes any sense.

>>I'm not sure how much sense this drawing makes but essentially, there
>>are two paths from the Internet into the 172.16.0.0/16 subnet for
>>redundancy.  I believe that the NAT is actually being done only on the
>>NexLan router side.  That is, the OpenSwan gateway does not do NAT, but
>>rather has an external and an internal ethernet interface.  I'm also not
>>positive, but I believe that hosts on the 172.16.0.0 subnet have a
>>default route that goes back through the NexLan box.
>>    
>>
>
>Sounds about right for my assumptions above.
>
>  
>
>>The important thing here is that the networks on both ends are NAT'd.  
>>Is this even possible?  I've brought up a connection from a linux host
>>on the roadwarrior network side, but if I try to ping any host on the
>>172.16.0.0 subnet (with the exception of the internal interface on the
>>gateway), pings don't go through and I'm suspecting a routing issue.
>>    
>>
>
>Sure. It makes things difficult if your Openswan box doesn't have a public 
>IP, but in your case, that's not true.
>
>  
>
>>I saw something that seemed to say that L2TP might be the only way to
>>solve this, however, it kinda looks like L2TP is only for Windows boxes.  
>>Or at least, I haven't seen information about running L2TP with a Linux
>>client.  I have both Linux and Windows clients on the roadwarrior
>>    
>>
>
>The basic problem you're running into is that the traffic comes in from 
>your 192.168.1.0/24 network via the Openswan box (IPSec), but it tries to 
>exit back out your default gateway. A couple ways you could fix this:
>
>1) Get rid of the Nexlan router; make your Openswan box the default route 
>back to the 'net. This is probably the easiest.
>
>  
>
I'm trying to make the fewest changes possible to avoid disruption to 
the network, so leaving the Nexlan box in place is what I have to stick 
with.

>2) If your roadwarrior's public IP is reasonably static, add a static 
>route for it in the Nexlan box via your Openswan gateway.
>
>  
>
I think that's a possibility.

>3) Use L2TP, DHCP-over-IPSec, or some other method that will give your
>roadwarrior an IP on the internal network. There is a l2tp client for
>Linux, but I'm not sure if it can be made to work with Openswan - anyone
>else want to comment on that? Ditto for the DHCP-over-IPSec client. You
>could also do NAT hacks (ie, set up a separate internal subnet that's
>routed to your Openswan box via the Nexlan, and set up NAT on the Openswan
>box to make all traffic coming in from Roadwarriors appear from IP's on
>that networks. Requires some _updown hackery.)
>
>  
>
I thought I'd read somewhere that DHCP-over-IPSec doesn't work currently?

One other possibility might be that the Nexlan box supports IPsec 
passthrough.  That is, I can turn it on and define an internal host as 
an IPsec server (apparently).  Might that suit me well in this case or 
does that mess things up even more?

At the moment, I'm trying to get this all working from a Linux box on 
the roadwarrior side as I'm assuming it's going to be easier.  Once I 
get that working, I'll move on to the getting the Windows box working, 
hopefully.

>In other words, it's certainly possible; just depends on how much work you 
>want to do.  :)
>
>------------------------------------------------------------------------
>| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
>|       depriving some poor village of its idiot since 1981            |
>------------------------------------------------------------------------
>_______________________________________________
>Users mailing list
>Users at lists.openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>  
>

More information about the Users mailing list