R: [Openswan Users] OpensWan and Iptables

Hensley, Bill (Space Technology) bill.hensley at ngc.com
Wed Oct 27 22:16:44 CEST 2004


 
John, thanks for the information about route2.  I am running a testbed where all connections for the testbed machines (a mix of XP, RedHat ES, and FC2 boxes) are covered by OpenSWAN IPSec (using PSK for the moment).  I added one FC2 machine to the network that is a gateway to the Internet.  I had to change the connectivity such that connections from my machines out to the Internet are in the clear while on the testbed.  I've been trying to find a way to use IPSec to cover the connection from the originating machine to the testbed NIC, then forward the packets on out to the internet:
 
                |      (IPSec coverage)         |<-192.168.10.50  |
    Workstation |-------------------------------|     Gateway     |---------- Internet
  (192.168.10.x)|                               |  68.15.100.56-> |
 
The workstations are XP boxes.  They are set to IPSec cover all traffic on the network except for any destined for the Internet.  I'd appreciate any pointers.
Cheers, Bill

Bill.Hensley at ngc.com
405.736.8423 (vox)
405.205.4805 (cell)

________________________________

From: users-bounces at openswan.org on behalf of John A. Sullivan III
Sent: Wed 27-Oct-04 7:20 PM
To: Giovanni
Cc: users at openswan.org
Subject: Re: R: [Openswan Users] OpensWan and Iptables



Where is your rightsubnet defined for the connection? You will also want
to make sure that your IDs match exactly.  There is a slightly dated
slide show which includes setting up NAT traversal in the training
section on http://iscs.sourceforge.net There's even a section on using
iproute2 so that the network VPN connection can be used to speak to the
gateway through the private interface eliminating the need for extra
connection definitions.

By the way, does your gateway allow the traffic destined for the gateway
bound traffic on the INPUT chain? It will use that rather than the
FORWARD chain for traffic destined for the gateway.

Good luck - John





More information about the Users mailing list