[Openswan Users] A tunnel using snat'ed addresses from the ipsec box

"Adrián R. Sanchez" adrian_sanchez at actionline.com.ar
Wed Mar 8 08:12:06 CET 2006

Hi there,

I have a pretty simple setup like the following:

[host "a"]-[ipsec gateway "a"]===[ipsec gateway "b"]-[host "b"]

  - Host "a" needs to see host "b" and vice-versa through the tunnel: no
problems so far, very easy indeed.

  - Hosts "a" and "b" have private addresses, but they are also
publically visible from the internet because the IPSec gateways happen
to act as firewalls with nat, too: still very easy, everything works
fine. I can see the hosts by their public addresses on the Internet and 
they can see each other by their private ones, through the tunnel.

This makes things look like this:

host "a" is ( and as nat'ed by ipsec gateway "a")
ipsec gateway "a" is
ipsec gateway "b" is
host "b" is (and as nat'ed by ipsec gateway "b")

Now, the problem: My client wants an ipsec tunnel that uses the public
nat addresses of "host a" and "host b", and not the private ones.

How would you do that? I could declare such configuration with no major 
problems, but the packets won't travel through the tunnel.

This works:


This doesn't work:


OpenSwan 2.3.1-1 over Fedora Core 2, kernel 2.6.5-1.358 on my side.

Thank you!


Adrián R. Sanchez
Dpto. de Tecnología

Actionline de Argentina S.A.
Viamonte 570 (C1053ABL)
Buenos Aires, Argentina
Tel.: +54 11 5093-3905

More information about the Users mailing list