[Openswan Users] Openswan and SNAT

Freivald, Joseph A, GVSOL jfreivald at att.com
Wed Aug 17 10:53:32 CEST 2005


I'm attempting to use openswan on a pair of Debian Sarge kernel version
2.6.8-2-386 boxes.  These machines are SNAT gateways to the internet,
and I would like to have the private addresses behind these boxes
(192.168.25.0/24 & 192.168.26.0/24) shared through a VPN.  I have
installed openswan 2.3.1 from the openswan.org site, and I have tried
with and without the ipsec module from that package installed.  I have
an active ipsec0 interface.  I have put a "iptables -t nat -I prerouting
-d VPN -j return" and "iptables -t nat -I postrouting -d VPN -j return"
on both sides to keep from Natting VPN packets.  I have the VPN
established to STATE_MAIN_I4 (ISAKMP SA established) on both sides.
When I ping from either side I see ESP packets go out, but none come
back.  I can see the ESP packets on the receiving end's external
interface as well.

 

I have been working on this for two days straight and can't find an
answer anywhere.  Will the VPN not work with SNAT enabled, even if I'm
not SNATing the packets between the shared networks?

 

What am I missing?

 

Thank you for any assistance.

 

--JATF

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050817/c594dcef/attachment.htm


More information about the Users mailing list