RES: [Openswan Users] Can i NAT my network to access a IPSEC tunnel?

Domingo Antonio domingo at netcomp.com.br
Mon Apr 24 16:56:35 CEST 2006


hum.. I have no klips support in my kernel
ill try to compile with klips support and try nat again...

10x :)
 

-----Mensagem original-----
De: Paul Wouters [mailto:paul at xelerance.com] 
Enviada em: segunda-feira, 24 de abril de 2006 15:04
Para: Domingo Antonio
Cc: users at openswan.org
Assunto: Re: [Openswan Users] Can i NAT my network to access a IPSEC tunnel?

On Mon, 24 Apr 2006, Domingo Antonio wrote:

> 	I have configured a openswan host-to-host vpn.
> 	In my side I have IPADDR=10.0.0.72 and on the other side is 
> IPADDR=146.0.0.1.
>
> 	Each SG can access resources on each other. ( like telnet, ssh, 
> apache )
>
> 	Behind a 10.0.0.72 SG I have a network 10.0.0.0/24.
>
> 	Can I NAT 10.0.0.0/24 to access 146.0.0.1?
> 	I'm using openswan 2.4.5, kernel 2.6.10-1.771_FC2 on a FC2...
>
> 	I tryed to insert a postrouting rule on 10.0.0.72, but it doesn't 
> work.
>
> 	Is it possible to NAT my network ( 10.0.0.0/24 ) and if so how can i

> do it?

If you use klips, you have seperate interfaces with an ipsec0 interface. You
can then SNAT on using "-i eth0" and  use interfaces="ipsec0=eth1" for
klips.
This way, NAT and IPsec do not bite each other.
You might be able to make this work without klips, using the 2.6.16 kernel
using the iptables v.1.3.5 IPsec policies. I have not yet experimented with
this.

Paul



More information about the Users mailing list