[Openswan Users] openswan, cisco pix and nat problem

lee hughes toxicnaan at gmail.com
Thu May 12 16:54:24 CEST 2005


wow, why not double nat it at the same time,put it through at
transparent layer 3 proxy, fragement the packets, and the encrypt the
traffic twice just to make it easier to fix when one day you wake up
and it's not working......

I've never seen this configuration documented, and from a network
design point of view it's complex to run nat/ipsec tunnel side by
side, although it may be possible, trouble shooting such a
configuration would be somewhat problematic, espcially if you have
multiple tunnel's. I nat traffic to my deafault g/w (non vpn traffic)
and that works okay, but never nat traffic inside the ipsec tunnel...
may work, may not, but just because you can do things, does'nt mean
you should do things in the real world!

you could try.. 


LAN-192.168.1.x--NAT ROUTER--10.0.10.x----F/W---public
internet----F/W----10.0.11.x
                                           
for me this would make it easier to trouble shoot problems...

linux machines are cheap..use that to your advantage...

http://openvpn.net/archive/openvpn-devel/2004-10/msg00012.html

On 5/12/05, Markus Feilner <lists at feilner-it.net> wrote:
> Am Donnerstag, 12. Mai 2005 14:40 schrieb Paul Wouters:
> > On Thu, 12 May 2005, Markus Feilner wrote:
> > > I have a problem with connections to a cisco pix. The VPN Partner wants
> > > me to nat/masquerade my traffic with my outside public IP.
> >
> > I do not understand the question. IPsec traffic cannot be rewritten by
> > NATs. What is it exactly that you want or need to get done?
> Thanks for answering.
> 
> I have two local subnets in which there are five hosts who are to connect
> through the tunnel to four hosts on the other side (one large subnet).
> Normally: Two tunnels, and that's it.
> But the VPN Partner wants me to do NAT and Masquerade the IPs of the five
> local Hosts for the VPN, so that he only needs to enter the public IP of my
> net in his configuration.
> So it's not the IPSEc Traffic, that is masqueraded, but the traffic inside the
> tunnel.
> 
> >
> > > Has anybody solved Masquerading/Natting the VPN traffic, so that
> > > connections from several local to several remote hosts are possible?
> >
> > that is still problematic in most cases. You are better of setting up a
> > subnet-subnet tunnel.
> 
> I would prefer that by far! But this is tougher to manage for th other side
> cisco-pix(!)
> 
> >
> > Paul
> 
> --
> mit freundlichen Grüssen,
> Markus Feilner
> --
> Feilner IT Linux & GIS
> Linux Solutions, Training, Seminare und Workshops - auch Inhouse
> Beraiterweg 4 93047 Regensburg
> fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
> mail mfeilner at feilner-it.net web http://www.feilner-it.net
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>


More information about the Users mailing list