[Openswan Users] question on SNAT and ipsec verify

Paul Wouters paul at xelerance.com
Fri Jan 27 00:34:12 CET 2006


On Thu, 26 Jan 2006, Frank.Mayer at knapp-systems.com wrote:

> I'm using Kernel 2.4.32 (KLIPS and NATT-patch applied) and OpenS/WAN 2.4.4
>
> I have setup similar to:
>
> private network: 172.20.0.0/16
>
> partner A: 10.20.0.0/16, tunnel uses e.g.
> leftnetwork=172.20.0.0616, rightnetwork=10.20.100.0/24 (range I need to
> access)
>
> partner B: 192.168.0.0/24, but use 172.16.0.0/12 in their network
> so I have an iptables-rule
> POSTROUTING -s 172.20.0.0/16 -d 192.168.0.0/24 -j SNAT --to-source
> 172.21.1.1
> and for the tunnel I use
> leftnetwork=172.21.1.1/32, rightnetwork=192.168.0.0/24,
>
> When I run "ipsec verify" I get messages like
> SNAT from 172.20.0.0/16 to 0.0.0.0/0 kills tunnel 172.20.0.0/16
> ->192.168.0.0/24
> (I'd understand that, if I really had a rule SNATing every connection, but
> I don't!)
>
> 1) I know that the SNAT rule does not interfere (at least not noticably)
> with the tunnels, since network traffic runs OK.
> 2) I know this kind of nat does not work at all using a default 2.6-Kernel
> of Debian Sarge (or SuSE SLES9)  and the precompiled ipsec-tools

ipsec verify is not clever enough to make that distinction. Indeed, it works
with klips provided you SNAT on the internal interface and run klips on
the external interface.

You can ignore this "error",

Paul


More information about the Users mailing list