[Openswan Users] One side NAT other side not??

jham at gnumax.com jham at gnumax.com
Thu Aug 24 12:35:45 EDT 2006


I have a question on Openswan configuration for a tunnel through OpenSwan
and CheckPoint. The checkpoint side is not NAT-ted. The OpenSwan is NATed.

10.1.0.0/16--10.1.254.1-PublicNATIP----------PublicNONATIP--10.2.0.0/16
LAN1-----------LinuxGW/OpenSwan-----(Internet)-----CPGW---------LAN2

The connection negotiates successfully and we can see remote initiated ESP
traffic incoming and local initiated ESP outgoing on the Linux/OpenSwan GW
but no responses on either end. The problem appears to be the NAT side.
The CP side is not capable of NATT traversal. I found an FAQ on a
SmoothWall connection that references one side NAT-ting.
The solution suggested is as follows for the LinuxGW ipsec.conf

Left:         10.1.254.1 (local private IP)
Left ID:      PublicNATIP (local public IP)
Left subnet:  10.1.0.0/16
Right:        CP PublicNONATIP (remote public IP)
Right subnet: 10.2.0.0/16

Is this correct??
I have been unsucessful to this point applying any PRE-Routing rules to
disable NAT to the remote destination.

Any help would be greatly appreciated! Thanks



More information about the Users mailing list