[Openswan Users] NAT between gateways is problematic
Juha Pietikäinen
juha.pietikainen at connet.net
Sat Oct 22 09:55:51 CEST 2005
Hi,
I don't really know does this help but
you could try to use undocumented "leftsourceip" parameter.
In your case add next line to your "conn foo" section:
leftsourceip=(Place Acme's public ip here)
I presumed that public IP is static, if it isn't this won't help much.
Juha Pietikäinen
Original message:
Hello,
I musn't expose my Lan.
mysetup is
[A] win2k---[B] Linux openswan/iptables---[C] ADSLmodem/router==
=[D] Supplier
as
[A] 192.168.1.23---eth0---[B] 192.168.1.1---eth1---[B]
192.168.254.1---[C] 192.168.254.254...[C] ac.me.co.uk===[D]
su.pp.li.er...[D] Lan
I need to telnet from the Win2k box to a supplier Lan machine.
My end of ipsec must present itself as Acme's public ip and NOT 192.168.x.x.
My config is
Slackware 9.1.0
Linux 2.4.22 i686
openswan-2.3.1
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug=none
conn foo
type=tunnel
ikelifetime=1h
rekeymargin=10m
rekeyfuzz=0%
compress=no
keylife=20m
authby=secret
keyingtries=0
auth=esp
esp=3des-md5-96
keyexchange=ike
ike=3des-md5-96
pfs=no
left=%defaultroute
leftid=@acme.co.uk
right=xx.xx.xx.xx
rightsubnet=yy.yy.yy.0/24
My endpoint always appears as 192.168.254.x!
I tried $IPTABLES -t nat -I POSTROUTING -d xx.xx.xx.xx -j SNAT
--to-source ac.me.co.uk
and
I tried $IPTABLES -t nat -I POSTROUTING -d yy.yy.yy.0/24 -j SNAT
--to-source ac.me.co.uk
and various.
I see that "We recommend not trying to build IPsec connections which
pass through a NAT machine. This setup poses problems" and Paul Wouters
said "If the only public IP address available is on the machine in front
of it [...] then it is going to get very difficult to get things running
properly" but supplier is govt and I have little choice.
I even tried native ms ipsec on the win2k box: a bit mysterious but
similar result.
Clues welcome. TIA
--tim
More information about the Users
mailing list