[Openswan Users] NAT based upon tunnel

Alexander Samad alex at samad.com.au
Thu Oct 7 14:43:37 CEST 2004


Hi

Going to jump in the deepend, I haven't tried this setup but something
similiar, I use the 2.6 with native stack, with some netfilter pom-ng
patches (NAT + native stack do not work properly with out these
patches), all this is done on a debian build.

if you are able to place linux boxes at each node in the wan, then the 2
remote office just need to have 1:1 static mapping placed on them, this
will remove the conflicting remote addressing seen by the head office

so static map Office A to 10.3.3.0/24 and office B to 10.4.4.0/24 
Then the tunnels can be setup with the different address.  Communication
will be able to be initiated in either direction.

This shouldn't be a hard exercise, the key is the 3 linux boxs at each
node of the wan.

Alex


On Wed, Oct 06, 2004 at 04:32:52PM +0200, Paul Wouters wrote:
> On Wed, 6 Oct 2004, John A. Sullivan III wrote:
> 
> >By the way, what mailing list supports questions about the native Linux
> >IPSec implementation? I haven't really started experimenting with it yet
> >but I need to soon.
> 
> I think that's on the netfilter list mostly.
> 
> >That's an outstanding idea.  I hesitate to add the complexity to the
> >Head Office where a mistake could have very profound effects on large
> >numbers of users but it sounds much simpler than my proposal above.
> 
> The head office seems to only place where you can create complexity :P
> 
> >That is, OfficeA is 10.1.1.0/24, OfficeB is 10.1.1.0/24 and the Head
> >Office is 10.2.2.0/24.  I can bind 10.2.3.1/24 to the Head Office GW,
> >create one policy between OfficeA's 10.1.1.0/24 and 10.2.2.0/24 and
> >another between OfficeB's 10.1.1.0/24 and 10.2.3.0/24.  I think that's
> >what you are suggesting.  Correct?
> 
> Yes.
> 
> >I would then, within the Head Office GW and on the decrypted packet on
> >the ipsec interface, DNAT 10.2.3.0/24 to 10.2.2.0/24, as long as it does
> >not break anything at the application layer.  I could conceivably now
> >have two packets headed for the same server with the same IP address.  I
> >assume that iptables is smart enough that they will never have the same
> >source port, too.  The replies will come back and connection tracking
> >within iptables will magically identify the reply packet for OfficeB and
> >SNAT the reply back to 10.2.3.0/24.
> 
> I believe so, yes.
> 
> >That sounds like it will work.  Does anyone see any caveats?
> 
> That depends, are you billing per hour :)
> 
> >This leads to another off topic but interesting question.  I'm pretty
> >sure this will work in *swan because of the complete traversal of the
> >packet through the netfilter hooks on each interface (e.g., eth0 and
> >ipsec0).  Will such a solution work if we are only using PLUTO and not
> >KLIPS? When a packet comes in from OfficeB using native IPSec, we
> >decrypt it and it is now destined for 10.2.3.0/24.  Can we catch it and
> >DNAT it in the PREROUTING chain after it has been decrypted?
> 
> The whole ipsec+nat thing with netfilter is being heavily worked on as we 
> speak. I wouldn't not recommend it for quite some time on production 
> systems.
> 
> Paul
> -- 
> 	"Non cogitamus, ergo nihil sumus"
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20041007/cead81d6/attachment.bin


More information about the Users mailing list