[Openswan Users] One side NAT other side not??

jham at gnumax.com jham at gnumax.com
Thu Aug 24 20:18:53 EDT 2006


> On Thu, 24 Aug 2006, jham at gnumax.com wrote:
>
>> I have a question on Openswan configuration for a tunnel through
>> OpenSwan
>> and CheckPoint. The checkpoint side is not NAT-ted. The OpenSwan is
>> NATed.
>
>> The solution suggested is as follows for the LinuxGW ipsec.conf
>>
>> Left:         10.1.254.1 (local private IP)
>> Left ID:      PublicNATIP (local public IP)
>> Left subnet:  10.1.0.0/16
>> Right:        CP PublicNONATIP (remote public IP)
>> Right subnet: 10.2.0.0/16
>>
>> Is this correct??
>> I have been unsucessful to this point applying any PRE-Routing rules to
>> disable NAT to the remote destination.
>
> iptables -I PREROUTING -i internalinterface -s 10.1.0.0/16 -d 10.2.0.0/16
> -j ACCEPT
> iptables -A PREROUTING -i internalinterface -s 10.1.0.0/16 -j SNAT
> --to-source PublicNATIP
>
> This will prevent NATing packets for IPsec.
>
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
Paul,
   Thank you for the quick response!
I will disregard the info from the SmoothWall forum and comment out the
left id parmeter and try the iptables PREROUTING rules. I will let you
know how it goes. If that fails I will forward the usual conf and ipsec
barf files.

John

p.s. Great book by the way :)


More information about the Users mailing list