[Openswan Users] Openswan gateway behind NAT
Paul Wouters
paul at xelerance.com
Mon Jan 17 23:37:23 CET 2005
On Mon, 17 Jan 2005, Marcus Better wrote:
> ----------------------------------------------------
> ~$ ping 192.168.1.45
> PING 192.168.1.45 (192.168.1.45) 56(84) bytes of data.
> 64 bytes from 1.2.3.4: icmp_seq=1 ttl=117 time=43.5 ms
> ----------------------------------------------------
> where 1.2.3.4 is the public IP address of the router gw.example.com.
>
> This is probably because 192.168.1.45 has its default route pointing to
> the router 192.168.1.1, so that it will send the echo replies to the
> router instead of the IPsec gateway. The router will then NAT the echo
> replies and send them to my client - unencrypted!
And it should drop the packets, which it not always does, as you can see.
> Naturally the other hosts do not know that they should suddenly send
> return traffic through the IPsec gateway. What is the proper solution to
> this problem?
Make the ipsec machine the default gateway, or tunnel everything to the
ipsec machine (0.0.0.0/0). In the latter case, I've also seen it both
work and not work.
> * Doesn't Openswan on the IPsec gateway automatically do proxy arp for
> the IPsec client's address?
>
> * Will it help if I add an ARP entry manually?
I am not sure what you are trying to do here, but I don't think so.
Paul
More information about the Users
mailing list