[Openswan Users] SNAT before IPSec, save my soul.

Adrian_Sanchez Adrian_Sanchez at actionline.com.ar
Thu Mar 23 22:25:17 CET 2006

I am trying to set up a tunnel where an internal host with a rather common
and overused leftsubnet address gets SNAT'ed with a public address from
the same public subnet my OpenSWAN public gateway listens on (it's just
one box with several ip address aliases which acts both as a NAT gateway
and an OpenSWAN box).

After digging through dozens of forums and asking for help, I only got
some comments about using the KLIPS module in order to get back my good'ol
ipsec0 interface (but I had no chance to compile and run it on Fedora 4
and 5 with whatever from 2.6.5 to 2.6.15 kernels). I also got comments
about combining kernel 2.6.16, iptables 1.3.5 + POM in a tainted,
unspecific way my scorched brain can't figure out.

I think I'm really close to give up and tell my client to put an end to
his sufferings -and mine-, by putting a Cisco box which does exactly what
I need just by typing a simple ACL lacking its "nonat" line, or by putting
a Checkpoint box and setting a "nat hide" directive, or whatever fits the

While private, overlapping network addresses become more and more common
at the same time people needs them connected each other, I just can't
figure out why it's so tricky to get this SNAT workaround done on Linux.

Maybe I'm missing lots of things here? Please, enlighten me and forgive my
 mood... I'm under heavy pressure regarding this thing. It's really
frustrating. In fact, I think it's the only thing I can't get my linux
boxes to do so far.

Would you kindly point me into the right direction? 

2.6 + IPSEC + SNAT for Dummies maybe?

Thanks again. 

More information about the Users mailing list