[Openswan Users] Openswan gateway behind NAT

Marcus Better marcus at better.se
Mon Jan 17 18:08:03 CET 2005

Paul Wouters wrote:
> Are you not filtering something?

It turns out that my iptables were misconfigured, and the gateway was 
not forwarding correctly. Sorry about that!

(The problem was that I used the MARK target to permit IPsec packets to 
pass through the filter, but with NAT-T it is necessary to set the mark 
on the UDP packets to port 4500. It seems that the encapsulated ESP 
packets are not passed through the PREROUTING chain.)

So now it works a lot better, but still not quite as intended. I find 
the following strange result if I ping something on the protected subnet:

Pinging the IPsec gateway looks normal:
~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=51.2 ms

Pinging another host gives this:
~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=117 time=43.5 ms
where is the public IP address of the router gw.example.com.

This is probably because has its default route pointing to 
the router, so that it will send the echo replies to the 
router instead of the IPsec gateway. The router will then NAT the echo 
replies and send them to my client - unencrypted!

Naturally the other hosts do not know that they should suddenly send 
return traffic through the IPsec gateway. What is the proper solution to 
this problem?

* Doesn't Openswan on the IPsec gateway automatically do proxy arp for 
the IPsec client's address?

* Will it help if I add an ARP entry manually?

* Should I give the IPsec client a virtual IP address from the same 
private subnet



More information about the Users mailing list