[Openswan Users] openswan, cisco pix and nat problem
Markus Feilner
lists at feilner-it.net
Thu May 12 22:24:47 CEST 2005
Am Donnerstag, 12. Mai 2005 17:01 schrieben Sie:
> I don't think such a configuration will work since the is nothing like:
>
> iptables -t nat -L PREROUTING --to-source ...
>
Well, masquerading and openvpn here in my office network works, and I'm sure
there is a solution. [I have tried to SNAT my packets and they were delivered
correctly to the other-side (openvpn) server, if the other side is configured
correctly.]
Sad enough, what I'm speaking of is a total different network, at one of our
customers, and the other side is a cisco pix, which NATs all the vpn traffic
with the public IP of my side.
I also cannot imagine how this should work, although I have become a hint from
someone, who told me to put my public_IP/32 into ipsec.conf (rightsubnet) and
do SNAT to all packets from my network to the other side.
Then the other side should do the same, and traffic can flow.
BTW: this is the second time we run into this problem, so this "cisco pix" way
seems quite common with this hardware...
:-((
> > LAN-192.168.1.x--NAT ROUTER--10.0.10.x----F/W---public
> > internet----F/W----10.0.11.x
> >
> > for me this would make it easier to trouble shoot problems...
> >
> > linux machines are cheap..use that to your advantage...
> >
> > http://openvpn.net/archive/openvpn-devel/2004-10/msg00012.html
> >
> > On 5/12/05, Markus Feilner <lists at feilner-it.net> wrote:
> > > Am Donnerstag, 12. Mai 2005 14:40 schrieb Paul Wouters:
> > > > On Thu, 12 May 2005, Markus Feilner wrote:
> > > > > I have a problem with connections to a cisco pix. The VPN Partner
> > > > > wants me to nat/masquerade my traffic with my outside public IP.
> > > >
> > > > I do not understand the question. IPsec traffic cannot be rewritten
> > > > by NATs. What is it exactly that you want or need to get done?
> > >
> > > Thanks for answering.
> > >
> > > I have two local subnets in which there are five hosts who are to
> > > connect through the tunnel to four hosts on the other side (one large
> > > subnet). Normally: Two tunnels, and that's it.
> > > But the VPN Partner wants me to do NAT and Masquerade the IPs of the
> > > five local Hosts for the VPN, so that he only needs to enter the public
> > > IP of my net in his configuration.
> > > So it's not the IPSEc Traffic, that is masqueraded, but the traffic
> > > inside the tunnel.
> > >
> > > > > Has anybody solved Masquerading/Natting the VPN traffic, so that
> > > > > connections from several local to several remote hosts are
> > > > > possible?
> > > >
> > > > that is still problematic in most cases. You are better of setting up
> > > > a subnet-subnet tunnel.
> > >
> > > I would prefer that by far! But this is tougher to manage for th other
> > > side cisco-pix(!)
> > >
> > > > Paul
> > >
> > > --
> > > mit freundlichen Grüssen,
> > > Markus Feilner
> > > --
> > > Feilner IT Linux & GIS
> > > Linux Solutions, Training, Seminare und Workshops - auch Inhouse
> > > Beraiterweg 4 93047 Regensburg
> > > fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
> > > mail mfeilner at feilner-it.net web http://www.feilner-it.net
> > > _______________________________________________
> > > Users mailing list
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
--
mit freundlichen Grüssen,
Markus Feilner
--
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
mail mfeilner at feilner-it.net web http://www.feilner-it.net
More information about the Users
mailing list