[Openswan Users] Openswan gateway behind NAT

Paul Wouters paul at xelerance.com
Tue Jan 18 11:05:49 CET 2005

On Tue, 18 Jan 2005, Marcus Better wrote:

> >>The router will then NAT the echo replies and send them to my client
>  >> - unencrypted!
>  >
> > And it should drop the packets, which it not always does, as you can see.
> The router, which is not even IPsec capable, has no reason to drop the 
> packets as far as I can see.

Windows should drop the packet. Since windows has a security association
up for that IP address. This was reported over a year ago to Microsoft.

> So I'm looking for a solution where the IPsec gateway is acting as 
> gateway only for IPsec traffic.

I've had mixed results with this and Windows.
> What if the IPsec client had a virtual IP address within the private 
> subnet. Then the gateway would do proxy-arp for that address, so it 
> would "catch" all traffic from the subnet to the IPsec client, right?

I dont think you can use proxy arp, because the client, gateway and ipsec
gateway are on the same subnet.
By adding a virtual IP to the machine, from a range outside its current
range, you can avoid these problems.


More information about the Users mailing list