[Openswan Users]
A tunnel using snat'ed addresses from the ipsec box
"Adrián R. Sanchez"
adrian_sanchez at actionline.com.ar
Wed Mar 8 08:12:06 CET 2006
Hi there,
I have a pretty simple setup like the following:
[host "a"]-[ipsec gateway "a"]===[ipsec gateway "b"]-[host "b"]
- Host "a" needs to see host "b" and vice-versa through the tunnel: no
problems so far, very easy indeed.
- Hosts "a" and "b" have private addresses, but they are also
publically visible from the internet because the IPSec gateways happen
to act as firewalls with nat, too: still very easy, everything works
fine. I can see the hosts by their public addresses on the Internet and
they can see each other by their private ones, through the tunnel.
This makes things look like this:
host "a" is 1.1.1.10 ( and 200.200.200.2 as nat'ed by ipsec gateway "a")
ipsec gateway "a" is 200.200.200.1
ipsec gateway "b" is 150.150.150.1
host "b" is 2.2.2.10 (and 150.150.150.2 as nat'ed by ipsec gateway "b")
Now, the problem: My client wants an ipsec tunnel that uses the public
nat addresses of "host a" and "host b", and not the private ones.
How would you do that? I could declare such configuration with no major
problems, but the packets won't travel through the tunnel.
This works:
left=200.200.200.1
leftsubnet=1.1.1.10/32
right=150.150.150.1
rightsubnet=2.2.2.10/32
This doesn't work:
left=200.200.200.1
leftsubnet=200.200.200.2/32
right=150.150.150.1
rightsubnet=150.150.150.2/32
OpenSwan 2.3.1-1 over Fedora Core 2, kernel 2.6.5-1.358 on my side.
Thank you!
--
Adrián R. Sanchez
Dpto. de Tecnología
Actionline de Argentina S.A.
Viamonte 570 (C1053ABL)
Buenos Aires, Argentina
Tel.: +54 11 5093-3905
More information about the Users
mailing list