[Openswan Users] Lost packets after DNAT

George Adams georgebadams at yahoo.com.au
Fri Feb 25 18:57:23 CET 2005


Hi,

we have moved a server (192.168.2.137) from the local
subnet where our VPN server is to another subnet 1 hop
away (192.168.208.0). Given the following connection
description from "FreeS/WAN IPSec version:
super-freeswan-1.99.7" how can I get DNAT to work so
that the client end is not changed (i dont have
access)?

        keyingtries=0
        auto=start
        type=tunnel
        authby=secret
        pfs=no
        leftid=xx.xx.xx.xx
        left=xx.xx.xx.xx
        leftsubnet=192.168.2.0/24
        right=yy.yy.yy.yy
        rightsubnet=10.0.62.0/24
        ike=3des-md5-modp1024
        ikelifetime=8h
        keylife=24h

They DNAT appears to work, partly:

Chain PREROUTING (policy ACCEPT 14M packets, 4021M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination         
  185  7400 DNAT       all  --  ipsec0 *      
10.0.62.0/24         192.168.2.137     
to:192.168.208.137 

but I dont see anything at the internal interface or
server end. Also I am getting martians logged on the
ipsec interface. Eg:

kernel: martian source 192.168.208.137 from 10.0.62.6,
on dev ipsec0

What is going on? Am I going about this the wrong way?

George.

Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com


More information about the Users mailing list