[Openswan Users] One side NAT other side not??

Paul Wouters paul at xelerance.com
Thu Aug 24 12:46:17 EDT 2006


On Thu, 24 Aug 2006, jham at gnumax.com wrote:

> I have a question on Openswan configuration for a tunnel through OpenSwan
> and CheckPoint. The checkpoint side is not NAT-ted. The OpenSwan is NATed.

> The solution suggested is as follows for the LinuxGW ipsec.conf
>
> Left:         10.1.254.1 (local private IP)
> Left ID:      PublicNATIP (local public IP)
> Left subnet:  10.1.0.0/16
> Right:        CP PublicNONATIP (remote public IP)
> Right subnet: 10.2.0.0/16
>
> Is this correct??
> I have been unsucessful to this point applying any PRE-Routing rules to
> disable NAT to the remote destination.

iptables -I PREROUTING -i internalinterface -s 10.1.0.0/16 -d 10.2.0.0/16 -j ACCEPT
iptables -A PREROUTING -i internalinterface -s 10.1.0.0/16 -j SNAT --to-source PublicNATIP

This will prevent NATing packets for IPsec.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list