[Openswan Users] SNAT before IPSec, save my soul.

Adrian_Sanchez Adrian_Sanchez at actionline.com.ar
Thu Mar 23 23:21:41 CET 2006 

I have read your useful experiences today. Sort of looks like it's been a
busy day today ;-)

A cisco box set up to do a classic private|public---public|private tunnel
needs a "nonat" line in order to avoid "private" becoming "public". Just
ignore adding that line and you'll have that private left subnet getting
SNAT'ed with a public one. Just as if that "nonat" line meant "please
don't nat my private ipsec packets because I want them to remain private".

As you might have noticed, Linux 2.6 does just the opposite: it'll never
SNAT the private packets unless you use KLIPS and explicitly SNAT on
ipsec0 or start using the new iptables patches + 2.6.16 + userland tools
in a combination I still couldn't figure out.

My setup is very easy. Just imagine a simple IPSec tunnel connecting two
private hosts. Well, I need my left private host to get into the tunnel
using one of my many OpenSWAN public IP address aliases:

192.168.0.4--200.0.0.1==140.0.0.1-140.0.0.2

- 192.168.0.4 is my internal host.
- 200.0.0.1 is my IPSec gateway, it also has an IP alias of 200.0.0.2
which is in use by my internal host. In other words, anyone can access
192.168.0.4 from the internet, by pointing at 200.0.0.2
- 140.0.0.1 is my remote ipsec gateway of which I have no control
whatsoever. That's my ipsec peer which grants me access to 140.0.0.2:
presumably an internal, SNAT'ed host, too.
 
Can you see what the problem is? I can't get 192.168.0.4 to act like
200.0.0.2 before getting into the IPSec tunnel through 140.0.0.2



-----Original Message-----
From: ted leslie <tleslie at tcn.net>
To: "Adrian_Sanchez" <Adrian_Sanchez at actionline.com.ar>
Cc: users at openswan.org
Date: Thu, 23 Mar 2006 21:00:24 -0500
Subject: Re: [Openswan Users] SNAT before IPSec, save my soul.

> i have the same issue (or similar)
> 
> I just got  2.6.14  and Klips patch installed succesfully and will see
> if it works.
> But i tried to solve it on a cisco (of my client),
> that would involve the  Nat-on-a-stick approach , and after reading
> that paper
> at CISCO wow, that didnt look that easy.
> 
> i don't understand how just a "nonat" line solves your problem on
> cisco.
> 
> if you like, can you send me a simple network diagram (off list if you
> like),
> i be interested in exactly your topology layout.
> 
> I am hoping because i should have a working klips 2.6 kernel system now
> i will be ok,
> your scaring me about the  iptables 1.3.5  tainted comment below,
> hopefully i dont run into that.
> I guess i am lucky, i am building a box from scrtch and can pick and
> chose my kernel (2.6.*)
> and version of openswan, where you are a bit more limited.
> 
> could you install a linux 2.4.14 on your FC4/5 ? or you have to stick
> with FC offical kernels supplied
> by RH ?
> 
> Checkpoint is just hardened linux .. so i am not sure how you would do
> something with Checkpoint
> that you can't do with linux?
> 
> 
> -tl
> 
> On Thu, 23 Mar 2006 22:25:17 
> 
> 
> -0300
> "Adrian_Sanchez" <Adrian_Sanchez at actionline.com.ar> wrote:
> 
> > I am trying to set up a tunnel where an internal host with a rather
> common
> > and overused leftsubnet address gets SNAT'ed with a public address
> from
> > the same public subnet my OpenSWAN public gateway listens on (it's
> just
> > one box with several ip address aliases which acts both as a NAT
> gateway
> > and an OpenSWAN box).
> > 
> > After digging through dozens of forums and asking for help, I only
> got
> > some comments about using the KLIPS module in order to get back my
> good'ol
> > ipsec0 interface (but I had no chance to compile and run it on Fedora
> 4
> > and 5 with whatever from 2.6.5 to 2.6.15 kernels). I also got
> comments
> > about combining kernel 2.6.16, iptables 1.3.5 + POM in a tainted,
> > unspecific way my scorched brain can't figure out.
> > 
> > I think I'm really close to give up and tell my client to put an end
> to
> > his sufferings -and mine-, by putting a Cisco box which does exactly
> what
> > I need just by typing a simple ACL lacking its "nonat" line, or by
> putting
> > a Checkpoint box and setting a "nat hide" directive, or whatever fits
> the
> > moment.
> > 
> > While private, overlapping network addresses become more and more
> common
> > at the same time people needs them connected each other, I just can't
> > figure out why it's so tricky to get this SNAT workaround done on
> Linux.
> > 
> > Maybe I'm missing lots of things here? Please, enlighten me and
> forgive my
> >  mood... I'm under heavy pressure regarding this thing. It's really
> > frustrating. In fact, I think it's the only thing I can't get my
> linux
> > boxes to do so far.
> > 
> > Would you kindly point me into the right direction? 
> > 
> > 2.6 + IPSEC + SNAT for Dummies maybe?
> > 
> > 
> > Thanks again. 
> > 
> > 
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan: 
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28315
> 5
> > 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28315
> 5

More information about the Users mailing list