[Openswan Users] NAT between gateways is problematic

Juha Pietikäinen juha.pietikainen at connet.net
Sat Oct 22 09:55:51 CEST 2005


Hi,

I don't really know does this help but
you could try to use undocumented "leftsourceip" parameter.

In your case add next line to your "conn foo" section:

leftsourceip=(Place Acme's public ip here)

I presumed that public IP is static, if it isn't this won't help much.


Juha Pietikäinen


Original message:

Hello,

I musn't expose my Lan.

mysetup is
[A] win2k---[B] Linux openswan/iptables---[C] ADSLmodem/router==
=[D] Supplier
as
[A] 192.168.1.23---eth0---[B] 192.168.1.1---eth1---[B]
192.168.254.1---[C] 192.168.254.254...[C] ac.me.co.uk===[D]
su.pp.li.er...[D] Lan

I need to telnet from the Win2k box to a supplier Lan machine.
My end of ipsec must present itself as Acme's public ip and NOT 192.168.x.x.

My config is
Slackware 9.1.0
Linux 2.4.22 i686
openswan-2.3.1

config setup
         interfaces=%defaultroute
         nat_traversal=yes
         klipsdebug=none
         plutodebug=none

conn foo
         type=tunnel
         ikelifetime=1h
         rekeymargin=10m
         rekeyfuzz=0%
         compress=no
         keylife=20m
         authby=secret
         keyingtries=0
         auth=esp
         esp=3des-md5-96
         keyexchange=ike
         ike=3des-md5-96
         pfs=no
         left=%defaultroute
         leftid=@acme.co.uk
         right=xx.xx.xx.xx
         rightsubnet=yy.yy.yy.0/24

My endpoint always appears as 192.168.254.x!

I tried $IPTABLES -t nat -I POSTROUTING -d xx.xx.xx.xx -j SNAT
--to-source ac.me.co.uk
and
I tried $IPTABLES -t nat -I POSTROUTING -d yy.yy.yy.0/24 -j SNAT
--to-source ac.me.co.uk
and various.

I see that "We recommend not trying to build IPsec connections which
pass through a NAT machine. This setup poses problems" and Paul Wouters
said "If the only public IP address available is on the machine in front
of it [...] then it is going to get very difficult to get things running
properly" but supplier is govt and I have little choice.

I even tried native ms ipsec on the win2k box: a bit mysterious but
similar result.

Clues welcome.  TIA

--tim 



More information about the Users mailing list