[Openswan Users] Openswan gateway behind NAT
Marcus Better
marcus at better.se
Tue Jan 18 09:53:35 CET 2005
Paul Wouters wrote:
>>The router will then NAT the echo replies and send them to my client
>> - unencrypted!
>
> And it should drop the packets, which it not always does, as you can see.
The router, which is not even IPsec capable, has no reason to drop the
packets as far as I can see.
> Make the ipsec machine the default gateway,
I could, but I don't want to add another point of failure. Most hosts in
the subnet have no need for IPsec traffic, so it is unnecessary to
have the ipsec box as default gateway.
So I'm looking for a solution where the IPsec gateway is acting as
gateway only for IPsec traffic.
What if the IPsec client had a virtual IP address within the private
subnet. Then the gateway would do proxy-arp for that address, so it
would "catch" all traffic from the subnet to the IPsec client, right?
Thanks for all your help!
Marcus
More information about the Users
mailing list