[Openswan Users] Openswan gateway behind NAT
Paul Wouters
paul at xelerance.com
Tue Jan 18 11:05:49 CET 2005
On Tue, 18 Jan 2005, Marcus Better wrote:
> >>The router will then NAT the echo replies and send them to my client
> >> - unencrypted!
> >
> > And it should drop the packets, which it not always does, as you can see.
>
> The router, which is not even IPsec capable, has no reason to drop the
> packets as far as I can see.
Windows should drop the packet. Since windows has a security association
up for that IP address. This was reported over a year ago to Microsoft.
> So I'm looking for a solution where the IPsec gateway is acting as
> gateway only for IPsec traffic.
I've had mixed results with this and Windows.
> What if the IPsec client had a virtual IP address within the private
> subnet. Then the gateway would do proxy-arp for that address, so it
> would "catch" all traffic from the subnet to the IPsec client, right?
I dont think you can use proxy arp, because the client, gateway and ipsec
gateway are on the same subnet.
By adding a virtual IP to the machine, from a range outside its current
range, you can avoid these problems.
Paul
More information about the Users
mailing list