[Openswan Users] Openswan gateway behind NAT

Paul Wouters paul at xelerance.com
Mon Jan 17 23:37:23 CET 2005

On Mon, 17 Jan 2005, Marcus Better wrote:

> ----------------------------------------------------
> ~$ ping
> PING ( 56(84) bytes of data.
> 64 bytes from icmp_seq=1 ttl=117 time=43.5 ms
> ----------------------------------------------------
> where is the public IP address of the router gw.example.com.
> This is probably because has its default route pointing to 
> the router, so that it will send the echo replies to the 
> router instead of the IPsec gateway. The router will then NAT the echo 
> replies and send them to my client - unencrypted!

And it should drop the packets, which it not always does, as you can see.
> Naturally the other hosts do not know that they should suddenly send 
> return traffic through the IPsec gateway. What is the proper solution to 
> this problem?

Make the ipsec machine the default gateway, or tunnel everything to the
ipsec machine ( In the latter case, I've also seen it both
work and not work.

> * Doesn't Openswan on the IPsec gateway automatically do proxy arp for 
> the IPsec client's address?
> * Will it help if I add an ARP entry manually?

I am not sure what you are trying to do here, but I don't think so.


More information about the Users mailing list