Forcing snat of an internal host before ipsec on the same box?
"Adrián R. Sanchez"
adrian_sanchez at actionline.com.ar
Tue Mar 7 18:03:24 CET 2006
I have a pretty simple setup like the following:
[host "a"]-[ipsec gateway "a"]===[ipsec gateway "b"]-[host "b"]
- Host "a" needs to see host "b" and vice-versa through the tunnel: no
problems so far, very easy indeed.
- Hosts "a" and "b" have private addresses, but they are also
publically visible from the internet because the IPSec gateways happen
to act as firewalls with nat, too: still very easy, everything works
fine. I can see the hosts by their public addresses and by their private
ones as needed.
This makes things look like this:
host "a" is 126.96.36.199 (188.8.131.52 as nat'ed by ipsec gateway "a")
ipsec gateway "a" is 184.108.40.206
ipsec gateway "b" is 220.127.116.11
host "a" is 18.104.22.168 (22.214.171.124 as nat'ed by ipsec gateway "b")
Now, the problem: My client wants an ipsec tunnel that uses the public
nat addresses of "host a" and "host b", and not the private ones.
How would you do that?
OpenSwan 2.3.1-1 over Fedora Core 2, kernel 2.6.5-1.358 on my side.
Adrián R. Sanchez
Dpto. de Tecnología
Actionline de Argentina S.A.
Viamonte 570 (C1053ABL)
Buenos Aires, Argentina
Tel.: +54 11 5093-3905
More information about the Users