[Openswan Users] IPSec NAT-T in Suse 10

Pjothi pjothi at gmail.com
Wed Feb 15 14:17:33 CET 2006


Hello all,

I have the following LAN scenario

Linux                                                                 
                                  Linux
192.168.1.2<------------->192.168.1.1 Gateway 192.168.3.100
<-------->192.168.3.101
                                  (eth0)                         (eth1)

In this scenario, I am able to ping between 192.168.1.2 and 192.168.3.101

Now I enable SNAT in the gateway with the following iptables command

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.2.100
(I have tried the same replacing 192.168.2.100 with 192.168.1.15 & 192.168.3.15)


Now, when I ping 192.168.3.101 from 192.168.1.2, its successful
pinging and in 192.168.3.101 side, I see the sourced NAT 192.168.2.100
address.

1. How am I able to successfully get reply packets in 192.168.1.2 when
its NATed and the source address is changed ?

Further, When I enable IPSec between

192.168.1.2 and 192.168.3.101  , I expect a NAT to be detected in
between. But without any detection of NAT the Security Association is
being established. But, strangely, I am now still able to ping between
192.168.1.2 after IPSec - SA establishment but the packets are not
NATed anymore too.

I see ESP packets between 192.168.1.2 and 192.168.3.101 in the end
system 192.168.3.101. I expect the ESP packets between 192.168.2.100
and 192.168.3.101 not as above.

1. Why is the NAT not deteced ?
2. Why the ESP packets are not NATed?
3. I expect the packets to be UDP encapsulated here, why isnt it happening ?


What mistake am doing here, I believe the mistake I am doing here
should be apparent to experts. I have tried my best to google and find
solution for this particular LAN scenario and also went through the
README files, still the above questions persists for me.

Many thanks for your time,

regards,
Pj


More information about the Users mailing list