[Openswan Users] Openswan gateway behind NAT

Marcus Better marcus at better.se
Tue Jan 18 09:53:35 CET 2005

Paul Wouters wrote:

>>The router will then NAT the echo replies and send them to my client
 >> - unencrypted!
> And it should drop the packets, which it not always does, as you can see.

The router, which is not even IPsec capable, has no reason to drop the 
packets as far as I can see.

> Make the ipsec machine the default gateway,

I could, but I don't want to add another point of failure. Most hosts in 
  the subnet have no need for IPsec traffic, so it is unnecessary to 
have the ipsec box as default gateway.

So I'm looking for a solution where the IPsec gateway is acting as 
gateway only for IPsec traffic.

What if the IPsec client had a virtual IP address within the private 
subnet. Then the gateway would do proxy-arp for that address, so it 
would "catch" all traffic from the subnet to the IPsec client, right?

Thanks for all your help!


More information about the Users mailing list