[Openswan Users] SNAT before IPSec, save my soul.

ted leslie tleslie at tcn.net
Thu Mar 23 21:00:24 CET 2006

i have the same issue (or similar)

I just got  2.6.14  and Klips patch installed succesfully and will see if it works.
But i tried to solve it on a cisco (of my client),
that would involve the  Nat-on-a-stick approach , and after reading that paper
at CISCO wow, that didnt look that easy.

i don't understand how just a "nonat" line solves your problem on cisco.

if you like, can you send me a simple network diagram (off list if you like),
i be interested in exactly your topology layout.

I am hoping because i should have a working klips 2.6 kernel system now i will be ok,
your scaring me about the  iptables 1.3.5  tainted comment below, hopefully i dont run into that.
I guess i am lucky, i am building a box from scrtch and can pick and chose my kernel (2.6.*)
and version of openswan, where you are a bit more limited.

could you install a linux 2.4.14 on your FC4/5 ? or you have to stick with FC offical kernels supplied
by RH ?

Checkpoint is just hardened linux .. so i am not sure how you would do something with Checkpoint
that you can't do with linux?


On Thu, 23 Mar 2006 22:25:17 

"Adrian_Sanchez" <Adrian_Sanchez at actionline.com.ar> wrote:

> I am trying to set up a tunnel where an internal host with a rather common
> and overused leftsubnet address gets SNAT'ed with a public address from
> the same public subnet my OpenSWAN public gateway listens on (it's just
> one box with several ip address aliases which acts both as a NAT gateway
> and an OpenSWAN box).
> After digging through dozens of forums and asking for help, I only got
> some comments about using the KLIPS module in order to get back my good'ol
> ipsec0 interface (but I had no chance to compile and run it on Fedora 4
> and 5 with whatever from 2.6.5 to 2.6.15 kernels). I also got comments
> about combining kernel 2.6.16, iptables 1.3.5 + POM in a tainted,
> unspecific way my scorched brain can't figure out.
> I think I'm really close to give up and tell my client to put an end to
> his sufferings -and mine-, by putting a Cisco box which does exactly what
> I need just by typing a simple ACL lacking its "nonat" line, or by putting
> a Checkpoint box and setting a "nat hide" directive, or whatever fits the
> moment.
> While private, overlapping network addresses become more and more common
> at the same time people needs them connected each other, I just can't
> figure out why it's so tricky to get this SNAT workaround done on Linux.
> Maybe I'm missing lots of things here? Please, enlighten me and forgive my
>  mood... I'm under heavy pressure regarding this thing. It's really
> frustrating. In fact, I think it's the only thing I can't get my linux
> boxes to do so far.
> Would you kindly point me into the right direction? 
> 2.6 + IPSEC + SNAT for Dummies maybe?
> Thanks again. 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list