[Openswan Users] Tunnel Nated traffic Explanation

teddy B boustany_t at hotmail.com
Tue Jan 3 06:30:18 CET 2006 

Hi all,
A week ago I posted a question regarding tunneling Nated traffic in ipsec.
I had some replies that it doesn’t work and after several tests I am 
convinced it doesn’t work to do NAT and the ipsec tunnel on the same box.
But my question is: does anyone have a technical explanation why it doesn’t 
work? Or can I find it somewhere? Having the ipsec packet processing in 
tunnel mode will help a lot but I couldn’t find it anywhere.
Thx for any help



>From: "teddy B" <boustany_t at hotmail.com>
>To: users at openswan.org
>Subject: [Openswan Users] Tunnel Nated traffic HELP!
>Date: Fri, 23 Dec 2005 07:32:52 +0000
>
>Hi all,
>I would like to know if theirs a special configuration to allow Nated 
>Traffic to be tunneled?
>the is that i wana setup an ipsec tunnel between 2 networks having 
>overlapping subnets.
>
>i have the following setup
>      net1
>172.16.0.0/24 (FTP server published)
>        |
>Fake net1 (nat rule)
>172.16.100.0/24
>        |
>Ipsec tunnel
>11.11.11.1/24
>        |
>11.11.11.2/24
>Ipsec Tunnel
>        |
>Fake net2( nat rule)
>172.16.101.0/24
>        |
>     net2
>172.16.0.0/24 (WWW server published)
>
>Net1 gateway is a W3K with RRAS an IPSEC Policy
>Net2 gateway is redhat 2.6.9 with openswan 2.4.4
>
>first: i tried my setup without the fake networks and with none overlapping 
>networks it worked just fine.
>second: i did my setup with the fake networks but without the ipsec tunnel 
>(simple routing) it worked also.
>third: now when i setup my ipsec tunnel it goes up ( main mode SA 
>established, quick mode SA established) but the net2 cannot access the ftp 
>server on the windows side.
>when i sniffed my network i found that the request is reaching the FTP 
>server but the reply of the server is stuck in the ipsec interface on the 
>linux side.
>
>I hope i was clear enouf in describing my setup.
>below is my ipsec.conf configuration.
>
>conn linux2win
>    type=tunnel
>    authby=secret
>    left=11.11.11.2
>    leftsubnet=172.16.101.0/24 #fake net
>    leftnexthop=11.11.11.1
>    right=11.11.11.1
>    rightsubnet=172.16.100.0/24  #fake net
>    rightnexthop=11.11.11.2
>    auto=add
>
>Thanks for any help and Merry Xmas
>
>
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list