[Openswan Users] FW: questions based on the VPN behind the NAT Box.

Shi Lang shilang at greenpacket.com
Wed Jan 18 11:56:48 CET 2006


( VPN1 ( --- (br0: NAT1 (eth0:  -----  (eth0: NAT2 (br0:
--- ( VPN2 (

The case is site-to-site VPN, but each site VPN is behind a linux firewall.
VPN1 and VPN2 are not roadwarriers. I did not install the NATT patch.

Shi Lang
Quality Assurance Engineer
GreenPacket Bhd
Tel: 006-03-89966022 ext: 105
E-mail: shilang at greenpacket.com

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, January 18, 2006 10:12 AM
To: Shi Lang
Cc: 'Openswan DEV'; 'Tuomo Soini'
Subject: Re: questions based on the VPN behind the NAT Box.

On Wed, 18 Jan 2006, Shi Lang wrote:

> On NAT1 Pure Linux PC I did:
> 1. ifconfig eth0:1        * is the mapping
> ip of, the VPN1's external interface eth0.
> 2. iptables -t nat -I POSTROUTING 1 -s -j SNAT --to-source
> 3. iptables -t nat -I POSTROUTING 1 -d -j DNAT --to-dest
> I also did settings on NAT2, mapping to
> I have successfully established the tunnel between VPN1 and VPN2.

So you first encrypt/sign the packet, then mangle it "broken" by SNAT,
then "break it some more" with DNAT. If it works, I guess you should count
yourself lucky, and thank Arkoon networks for their NAT-T patch we include.
I am assuming this only works because you are rewriting UDP packets
the IPsec pacets.

> 1.  But my first try is without Leftid and Rightid in the ipsec.conf in
> and VPN2,
> it failed to establish the M3 negotiation (m1 and m2 in Main Mode is ok, i
> checked with 'ipsec auto --status').
> IKE RFC 2409 says: Main Mode, the last two messages authenticate the DH
> exchange.

The default id if not specified is the IP address. So the Id within the
IKE packets contain the original non-NAT'ed IP address. These do not
match the SNAT'ed IP address.

> 2.  But if VPN1 direct to VPN2 (without NAT Box), then without leftid and
> rightid can establish the tunnel at this time.

Yes, because you are not rewriting the IP address you sent as ID.

You can explicitely set a leftid= and rightid=, but the ideal situation is
to not use this NAT approach.


More information about the Users mailing list