[Openswan Users] question on SNAT and ipsec verify

Paul Wouters paul at xelerance.com
Fri Jan 27 00:34:12 CET 2006

On Thu, 26 Jan 2006, Frank.Mayer at knapp-systems.com wrote:

> I'm using Kernel 2.4.32 (KLIPS and NATT-patch applied) and OpenS/WAN 2.4.4
> I have setup similar to:
> private network:
> partner A:, tunnel uses e.g.
> leftnetwork=, rightnetwork= (range I need to
> access)
> partner B:, but use in their network
> so I have an iptables-rule
> POSTROUTING -s -d -j SNAT --to-source
> and for the tunnel I use
> leftnetwork=, rightnetwork=,
> When I run "ipsec verify" I get messages like
> SNAT from to kills tunnel
> ->
> (I'd understand that, if I really had a rule SNATing every connection, but
> I don't!)
> 1) I know that the SNAT rule does not interfere (at least not noticably)
> with the tunnels, since network traffic runs OK.
> 2) I know this kind of nat does not work at all using a default 2.6-Kernel
> of Debian Sarge (or SuSE SLES9)  and the precompiled ipsec-tools

ipsec verify is not clever enough to make that distinction. Indeed, it works
with klips provided you SNAT on the internal interface and run klips on
the external interface.

You can ignore this "error",


More information about the Users mailing list