[Openswan Users] One side NAT other side not??

jham at gnumax.com jham at gnumax.com
Thu Aug 24 12:35:45 EDT 2006

I have a question on Openswan configuration for a tunnel through OpenSwan
and CheckPoint. The checkpoint side is not NAT-ted. The OpenSwan is NATed.

The connection negotiates successfully and we can see remote initiated ESP
traffic incoming and local initiated ESP outgoing on the Linux/OpenSwan GW
but no responses on either end. The problem appears to be the NAT side.
The CP side is not capable of NATT traversal. I found an FAQ on a
SmoothWall connection that references one side NAT-ting.
The solution suggested is as follows for the LinuxGW ipsec.conf

Left: (local private IP)
Left ID:      PublicNATIP (local public IP)
Left subnet:
Right:        CP PublicNONATIP (remote public IP)
Right subnet:

Is this correct??
I have been unsucessful to this point applying any PRE-Routing rules to
disable NAT to the remote destination.

Any help would be greatly appreciated! Thanks

More information about the Users mailing list