[Openswan Users] NAT between gateways is problematic

Thu Oct 20 00:01:07 CEST 2005

Hello,

I musn't expose my Lan.

mysetup is
[A] win2k---[B] Linux openswan/iptables---[C] ADSLmodem/router==
=[D] Supplier
as
[A] 192.168.1.23---eth0---[B] 192.168.1.1---eth1---[B] 
192.168.254.1---[C] 192.168.254.254...[C] ac.me.co.uk===[D] 
su.pp.li.er...[D] Lan

I need to telnet from the Win2k box to a supplier Lan machine.
My end of ipsec must present itself as Acme's public ip and NOT 192.168.x.x.

My config is
Slackware 9.1.0
Linux 2.4.22 i686
openswan-2.3.1

config setup
         interfaces=%defaultroute
         nat_traversal=yes
         klipsdebug=none
         plutodebug=none

conn foo
         type=tunnel
         ikelifetime=1h
         rekeymargin=10m
         rekeyfuzz=0%
         compress=no
         keylife=20m
         authby=secret
         keyingtries=0
         auth=esp
         esp=3des-md5-96
         keyexchange=ike
         ike=3des-md5-96
         pfs=no
         left=%defaultroute
         leftid=@acme.co.uk
         right=xx.xx.xx.xx
         rightsubnet=yy.yy.yy.0/24

My endpoint always appears as 192.168.254.x!

I tried $IPTABLES -t nat -I POSTROUTING -d xx.xx.xx.xx -j SNAT 
--to-source ac.me.co.uk
and
I tried $IPTABLES -t nat -I POSTROUTING -d yy.yy.yy.0/24 -j SNAT 
--to-source ac.me.co.uk
and various.

I see that "We recommend not trying to build IPsec connections which 
pass through a NAT machine. This setup poses problems" and Paul Wouters 
said "If the only public IP address available is on the machine in front 
of it [...] then it is going to get very difficult to get things running 
properly" but supplier is govt and I have little choice.

I even tried native ms ipsec on the win2k box: a bit mysterious but 
similar result.

Clues welcome.  TIA

--tim