[Openswan Users] One side NAT other side not??
jham at gnumax.com
jham at gnumax.com
Thu Aug 24 12:35:45 EDT 2006
I have a question on Openswan configuration for a tunnel through OpenSwan
and CheckPoint. The checkpoint side is not NAT-ted. The OpenSwan is NATed.
10.1.0.0/16--10.1.254.1-PublicNATIP----------PublicNONATIP--10.2.0.0/16
LAN1-----------LinuxGW/OpenSwan-----(Internet)-----CPGW---------LAN2
The connection negotiates successfully and we can see remote initiated ESP
traffic incoming and local initiated ESP outgoing on the Linux/OpenSwan GW
but no responses on either end. The problem appears to be the NAT side.
The CP side is not capable of NATT traversal. I found an FAQ on a
SmoothWall connection that references one side NAT-ting.
The solution suggested is as follows for the LinuxGW ipsec.conf
Left: 10.1.254.1 (local private IP)
Left ID: PublicNATIP (local public IP)
Left subnet: 10.1.0.0/16
Right: CP PublicNONATIP (remote public IP)
Right subnet: 10.2.0.0/16
Is this correct??
I have been unsucessful to this point applying any PRE-Routing rules to
disable NAT to the remote destination.
Any help would be greatly appreciated! Thanks
More information about the Users
mailing list