[Openswan Users] [Openswan and NAT on "both ends"]

Nate Carlson natecars at natecarlson.com
Fri May 14 10:12:29 CEST 2004


On Thu, 13 May 2004, Mark Frost wrote:
> Yes, sorry.  Both have public addresses on the Internet side.  I think I
> did not represent the connection entirely appropriately, however.  
> There are 2 DSL lines both of which come into the NexLan router. The
> Openswan box hangs off the Nexlan router, but is on the "external side"
> if that makes any sense.

So it's in a DMZ of some sort? As long as it's got a public IP, and you're 
not filtering traffic to it, that part's no problem.

> I'm trying to make the fewest changes possible to avoid disruption to
> the network, so leaving the Nexlan box in place is what I have to stick
> with.

OK, that's do-able.

> >2) If your roadwarrior's public IP is reasonably static, add a static 
> >route for it in the Nexlan box via your Openswan gateway.
>
> I think that's a possibility.

If that'll work for you, it's probably the simplest overall solution.

> I thought I'd read somewhere that DHCP-over-IPSec doesn't work
> currently?

Hmm, should work fine - I know it worked in SFS (predecessor to Openswan
1) without a problem. There just aren't many clients for it; not sure what
kind of hackery it'd require to get it working under Linux, bit I'm sure
it's possible.

> One other possibility might be that the Nexlan box supports IPsec
> passthrough.  That is, I can turn it on and define an internal host as
> an IPsec server (apparently).  Might that suit me well in this case or
> does that mess things up even more?

That messes things up even more.  :)  The packets would still end up going 
out the default route (not back through your Openswan box), and it'd mean 
that your Openswan box is behind NAT, and trickier to get working.

> At the moment, I'm trying to get this all working from a Linux box on
> the roadwarrior side as I'm assuming it's going to be easier.  Once I
> get that working, I'll move on to the getting the Windows box working,
> hopefully.

Actually, if you're primary clients will be Windows, L2TP over IPSec would 
work just fine in the arrangement that you have right now.

If you do need a flexible mix of linux/windows clients, and you cannot
replace your gateway with the Openswan box, I'd probably try the NAT
route.

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the Users mailing list