[Openswan Users] One side NAT other side not??

Paul Wouters paul at xelerance.com
Thu Aug 24 12:46:17 EDT 2006

On Thu, 24 Aug 2006, jham at gnumax.com wrote:

> I have a question on Openswan configuration for a tunnel through OpenSwan
> and CheckPoint. The checkpoint side is not NAT-ted. The OpenSwan is NATed.

> The solution suggested is as follows for the LinuxGW ipsec.conf
> Left: (local private IP)
> Left ID:      PublicNATIP (local public IP)
> Left subnet:
> Right:        CP PublicNONATIP (remote public IP)
> Right subnet:
> Is this correct??
> I have been unsucessful to this point applying any PRE-Routing rules to
> disable NAT to the remote destination.

iptables -I PREROUTING -i internalinterface -s -d -j ACCEPT
iptables -A PREROUTING -i internalinterface -s -j SNAT --to-source PublicNATIP

This will prevent NATing packets for IPsec.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list