[Openswan Users] Forcing snat of an internal host before ipsec on the same box?

"Adrián R. Sanchez" adrian_sanchez at actionline.com.ar
Tue Mar 7 18:03:24 CET 2006

Hi there,

I have a pretty simple setup like the following:

[host "a"]-[ipsec gateway "a"]===[ipsec gateway "b"]-[host "b"]

  - Host "a" needs to see host "b" and vice-versa through the tunnel: no 
problems so far, very easy indeed.

  - Hosts "a" and "b" have private addresses, but they are also 
publically visible from the internet because the IPSec gateways happen 
to act as firewalls with nat, too: still very easy, everything works 
fine. I can see the hosts by their public addresses and by their private 
ones as needed.

This makes things look like this:

host "a" is ( as nat'ed by ipsec gateway "a")
ipsec gateway "a" is
ipsec gateway "b" is
host "a" is ( as nat'ed by ipsec gateway "b")

Now, the problem: My client wants an ipsec tunnel that uses the public 
nat addresses of "host a" and "host b", and not the private ones.

How would you do that?

OpenSwan 2.3.1-1 over Fedora Core 2, kernel 2.6.5-1.358 on my side.

Thank you!


Adrián R. Sanchez
Dpto. de Tecnología

Actionline de Argentina S.A.
Viamonte 570 (C1053ABL)
Buenos Aires, Argentina
Tel.: +54 11 5093-3905

More information about the Users mailing list