[Openswan Users] One side NAT other side not??

Andy Gay andy at andynet.net
Thu Aug 24 14:16:22 EDT 2006

On Thu, 2006-08-24 at 10:35 -0600, jham at gnumax.com wrote:
> I have a question on Openswan configuration for a tunnel through OpenSwan
> and CheckPoint. The checkpoint side is not NAT-ted. The OpenSwan is NATed.
> LAN1-----------LinuxGW/OpenSwan-----(Internet)-----CPGW---------LAN2
> The connection negotiates successfully and we can see remote initiated ESP
> traffic incoming and local initiated ESP outgoing on the Linux/OpenSwan GW
> but no responses on either end. The problem appears to be the NAT side.
> The CP side is not capable of NATT traversal.

If I understand this, your Openswan box is behind a NAT gateway. In that
case, it'll never work if the CP won't do NAT-T. Both ends have to agree
to do that.

Are you sure it's really "not capable" of NAT-T? Seems surprising, most
stuff can do that these days.

>  I found an FAQ on a
> SmoothWall connection that references one side NAT-ting.
> The solution suggested is as follows for the LinuxGW ipsec.conf
> Left: (local private IP)
> Left ID:      PublicNATIP (local public IP)
> Left subnet:
> Right:        CP PublicNONATIP (remote public IP)
> Right subnet:
> Is this correct??
> I have been unsucessful to this point applying any PRE-Routing rules to
> disable NAT to the remote destination.

Now I'm confused. What's doing the NAT here?

> Any help would be greatly appreciated! Thanks
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list