[Openswan Users] A tunnel using snat'ed addresses from the ipsec box

"Adrián R. Sanchez" adrian_sanchez at actionline.com.ar
Wed Mar 8 08:12:06 CET 2006


Hi there,

I have a pretty simple setup like the following:

[host "a"]-[ipsec gateway "a"]===[ipsec gateway "b"]-[host "b"]

  - Host "a" needs to see host "b" and vice-versa through the tunnel: no
problems so far, very easy indeed.

  - Hosts "a" and "b" have private addresses, but they are also
publically visible from the internet because the IPSec gateways happen
to act as firewalls with nat, too: still very easy, everything works
fine. I can see the hosts by their public addresses on the Internet and 
they can see each other by their private ones, through the tunnel.

This makes things look like this:

host "a" is 1.1.1.10 ( and 200.200.200.2 as nat'ed by ipsec gateway "a")
ipsec gateway "a" is 200.200.200.1
ipsec gateway "b" is 150.150.150.1
host "b" is 2.2.2.10 (and 150.150.150.2 as nat'ed by ipsec gateway "b")

Now, the problem: My client wants an ipsec tunnel that uses the public
nat addresses of "host a" and "host b", and not the private ones.

How would you do that? I could declare such configuration with no major 
problems, but the packets won't travel through the tunnel.

This works:

left=200.200.200.1
leftsubnet=1.1.1.10/32
right=150.150.150.1
rightsubnet=2.2.2.10/32


This doesn't work:

left=200.200.200.1
leftsubnet=200.200.200.2/32
right=150.150.150.1
rightsubnet=150.150.150.2/32


OpenSwan 2.3.1-1 over Fedora Core 2, kernel 2.6.5-1.358 on my side.


Thank you!



-- 

Adrián R. Sanchez
Dpto. de Tecnología

Actionline de Argentina S.A.
Viamonte 570 (C1053ABL)
Buenos Aires, Argentina
Tel.: +54 11 5093-3905




More information about the Users mailing list