[Openswan Users] Openswan gateway behind NAT

[Marcus Better]

Paul Wouters wrote:
> Are you not filtering something?

It turns out that my iptables were misconfigured, and the gateway was 
not forwarding correctly. Sorry about that!

(The problem was that I used the MARK target to permit IPsec packets to 
pass through the filter, but with NAT-T it is necessary to set the mark 
on the UDP packets to port 4500. It seems that the encapsulated ESP 
packets are not passed through the PREROUTING chain.)

So now it works a lot better, but still not quite as intended. I find 
the following strange result if I ping something on the protected subnet:

Pinging the IPsec gateway looks normal:
---------------------------------------------------
~$ ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=51.2 ms
---------------------------------------------------

Pinging another host gives this:
----------------------------------------------------
~$ ping 192.168.1.45
PING 192.168.1.45 (192.168.1.45) 56(84) bytes of data.
64 bytes from 1.2.3.4: icmp_seq=1 ttl=117 time=43.5 ms
----------------------------------------------------
where 1.2.3.4 is the public IP address of the router gw.example.com.

This is probably because 192.168.1.45 has its default route pointing to 
the router 192.168.1.1, so that it will send the echo replies to the 
router instead of the IPsec gateway. The router will then NAT the echo 
replies and send them to my client - unencrypted!

Naturally the other hosts do not know that they should suddenly send 
return traffic through the IPsec gateway. What is the proper solution to 
this problem?

* Doesn't Openswan on the IPsec gateway automatically do proxy arp for 
the IPsec client's address?

* Will it help if I add an ARP entry manually?

* Should I give the IPsec client a virtual IP address from the same 
private subnet 192.168.1.0/24?

Regards,

Marcus