[Openswan Users] Routing problem with tunnel established

webmaster at elnportal.it webmaster at elnportal.it
Fri Jan 13 19:44:37 CET 2006 

So I should try to SNAT on the remote Openswan GATEWAY ?


----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: <webmaster at elnportal.it>
Cc: <users at openswan.org>
Sent: Friday, January 13, 2006 5:10 PM
Subject: Re: [Openswan Users] Routing problem with tunnel established


> On Fri, 13 Jan 2006, webmaster at elnportal.it wrote:
>
>> Hi to all, I've a problem on my net to net vpn tunnel.
>>
>> I can ping the subnet's each other except for one AS400 server and 2 
>> CISCO
>> routers. I think that for routers the problem is the ACL .... so i'm 
>> trying to
>> SNAT the packet before.
>>
>> Let's make it clear.
>>
>> REMOTE CISCO ACL 10.0.2.0/24 CISCO IP 10.0.2.1
>> LOCAL SUBNET TRYING TO CONNECT TO CISCO DEVICE 10.0.1.0/24
>>
>> 10.0.1.0/24 -- OPENSWAN GATEWAY1 ==== OPENSWAN GATEWAY2 -- 10.0.2.0/24 
>> (here
>> CISCO 10.0.2.1)
>>
>> when I try to ping 10.0.2.1 from 10.0.1.0/24 subnet I can't receive any
>> response.
>>
>> tcpdumping the internet LAN of vpn end terminal phisically connected to 
>> 10.0.2.1
>> I see that ESP packets flow from 10.0.1.0/24 subnet to 10.0.2.1 but 
>> 10.0.2.1
>> doesn't reply.
>>
>> I would like to change source IP from 10.0.1.0/24 to a dummy ip accepted 
>> by the
>> CISCO ACL (a reserved IP on 10.0.2.0/24 subnet) using SNAT.
>>
>> I've tried
>> iptables -t nat -A POSTROUTING -d 10.0.2.1 -j SNAT --to 10.0.2.254
>> on Openswan Gateway connected to 10.0.1.0/24 but it doesn't seems to 
>> work.
>>
>> Tried too
>> iptables -t nat -A POSTROUTING -d 10.0.2.1 -j SNAT --to 10.0.2.254
>> on Openswan Gateway connected to 10.0.2.0/24 subnet but it still doesn't 
>> work.
>>
>> I think that firewall decision are taken before vpn packets information
>> extraction.
>>
>> What can I do ? Can I operate some modification on mangle table to 
>> achieve my
>> goal ?
>
> If you can SNAT on the incoming local ethX interface, then it should work.
> SNAT'ing the linux machine's one IP to something else is very tricky in
> combination with ipsec. It might work with KLIPS, and for NETKEY you would
> have to try bleeding edge netfilter patch-o-matic patches.
>
> Paul
>

More information about the Users mailing list