[Openswan Users] Tunnel Nated traffic HELP!

Norman Rasmussen norman at rasmussen.co.za
Mon Dec 26 16:35:46 CET 2005


Then I would test the other two options.  Moving the faking onto a
separate box is almost guaranteed to work.

On 12/25/05, teddy B <boustany_t at hotmail.com> wrote:
> its not only ftp problem
> i forgot to mention that traffic both ways stops.
> i think whats happening is that the routing descion is takin at the end of
> the tunnel
> so the prerouting nat is bypassed.....
>
>
> >From: Norman Rasmussen <norman at rasmussen.co.za>
> >To: teddy B <boustany_t at hotmail.com>, users at openswan.org
> >Subject: Re: [Openswan Users] Tunnel Nated traffic HELP!
> >Date: Fri, 23 Dec 2005 18:43:29 +0200
> >
> >On 12/23/05, Paul Wouters <paul at xelerance.com> wrote:
> > > On Fri, 23 Dec 2005, teddy B wrote:
> > >
> > > > I would like to know if theirs a special configuration to allow Nated
> >Traffic
> > > > to be tunneled?
> > > > the is that i wana setup an ipsec tunnel between 2 networks having
> >overlapping
> > > > subnets.
> > > >
> > > > i have the following setup
> > > >      net1
> > > > 172.16.0.0/24 (FTP server published)
> > > >        |
> > > > Fake net1 (nat rule)
> > > > 172.16.100.0/24
> > > >        |
> > > > Ipsec tunnel
> > > > 11.11.11.1/24
> > > >        |
> > > > 11.11.11.2/24
> > > > Ipsec Tunnel
> > > >        |
> > > > Fake net2( nat rule)
> > > > 172.16.101.0/24
> > > >        |
> > > >     net2
> > > > 172.16.0.0/24 (WWW server published)
> > >
> > > That is currently not (yet) supported.
> > > A workaround is to assign another network range on one end and
> > > use that, perhaps with a portforward to make it fully transparent.
> > >
> > > Paul
> > > _______________________________________________
> > > Users mailing list
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > >
> >
> >Is it maybe an FTP problem? Try plain http first.  Fyi: ftp needs nat
> >helpers loaded.
> >
> >You could probably get it working by putting the Nat-Faking and the
> >IPSEC on two seperate machines.
> >
> >Additionally you might try Nat-Fakin at one end only, you might find
> >that w3k and openswan do things differently, and if you're lucky it
> >might just work 'one way around' only.
> >
> >--
> >- Norman Rasmussen
> >  - Email: norman at rasmussen.co.za
> >  - Home page: http://norman.rasmussen.co.za/
>
>
>


--
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/


More information about the Users mailing list