[Openswan Users] OpenSWAN VPN only kinda working

Paul Overton paul at trusted-management.com
Wed Jan 5 14:33:50 CET 2005


Try adding the following:

# Generated by webmin
*nat
>>> -A POSTROUTING -s 192.168.100.0/24 -d 192.168.101.0/24 -o eth0 -j ACCEPT
-A POSTROUTING -o eth0 -j SNAT --to 207.164.133.170
#-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -m tcp -p tcp -i eth0 --dport 993 -j DNAT --to-destination
192.168.100.10
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

Regards Paul

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Jeff Williams
Sent: 05 January 2005 13:23
To: Users at openswan.org
Subject: Re: [Openswan Users] OpenSWAN VPN only kinda working


Hello,

I believe I am NATing ipsec packets but nothing I have tried will stop 
the NATing of IPSec packets.  The problem I have is how to fix the 
situation if pssible.

There is this comment in the Design-Related Issues of Openswan:

* Using SNAT and the 2.6 ipsec code apparently doesn't go well together.
  Reported by Alexander Samad. Known issue for the netfilter team. DNAT
  works as usual, meaning you have to exlude DNAT'ing packets meant for
  a tunnel.

But I am not sure exactly how it effects me and how to get around it.  I am
searching though the netfilter stuff next to see it they provide something
that may resolve the issue.

Thanks, Jeff



Paul Wouters wrote:

> On Tue, 4 Jan 2005, Jeff Williams wrote:
>
>> *nat
>> -A POSTROUTING -o eth0 -j SNAT --to 207.164.133.170
>> #-A POSTROUTING -o eth0 -j MASQUERADE
>> -A PREROUTING -m tcp -p tcp -i eth0 --dport 993 -j DNAT 
>> --to-destination 192.168.100.10
>
>
> You are NAT'ing ipsec packets, causing them to be invalid and dropped?
>
> And no, I have no idea why 'worked before' with freeswan, it shouldn't 
> have.
>
> Paul
>
>
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.




More information about the Users mailing list