[Openswan Users] SNAT before IPSec, save my soul.

Snitgen, John John.Snitgen at tnsi.com
Fri Mar 24 08:48:53 CET 2006

I have been trying to accomplish the same thing and have not had success yet.  Paul suggested 'leftsourceip=' for my particular scenario, but that turned out to only work for packets originating from the box itself, not for packets on the left subnet.

Here is my scenario as described previously:

On Tue, 14 Mar 2006, Snitgen, John wrote:

> Linux box (running version, Openswan 2.4.4) with a local loopback interface with IP address, and an ethernet interface with IP address
> PC with IP address, connected via hub to the Linux box ethernet interface
> Linux box ipsec.conf: leftsubnet=, rightsubnet=
> If I ping from the Linux box using the command 'ping -I' it successfully traverses the IPsec tunnel, the ping appears to originate from, and I get reply back across the tunnel.  This confirms that the IPsec tunnel is working like it should (according to these rules - leftsubnet=, rightsubnet=
> Now here's my problem - I want to ping/connect a TCP socket from the PC to, and have it appear to originate from address across the IPsec tunnel.  Is this possible over an IPsec tunnel?  Using iptables?  How is it accomplished?



-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]On
Behalf Of Paul Wouters
Sent: Friday, March 24, 2006 2:09 AM
To: Adrian_Sanchez
Cc: users at openswan.org
Subject: Re: [Openswan Users] SNAT before IPSec, save my soul.

On Thu, 23 Mar 2006, Adrian_Sanchez wrote:

> After digging through dozens of forums and asking for help, I only got
> some comments about using the KLIPS module in order to get back my good'ol
> ipsec0 interface (but I had no chance to compile and run it on Fedora 4
> and 5 with whatever from 2.6.5 to 2.6.15 kernels). I also got comments

It compiles fine for me on FC4 upto about 2.6.14 based kernels. But use the
UP, not the SMP kernels.

> 2.6 + IPSEC + SNAT for Dummies maybe?

I do not know how to do this properly with NETKEY. With KLIPS you can SNAT
the plaintext packets on the intenral interface, and runs klips on the
external interface, and it will work fine.

There were various posts on this topic and solutions of other people on
this list in the past. So perhaps you can find some answers in the archives?

Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan: 
This e-mail message is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information of Transaction NetworkServices.  
Any unauthorized review, use, disclosure or distribution isprohibited.  If you 
are not the intended recipient, please contact thesender by reply e-mail and 
destroy all copies of the original message.

More information about the Users mailing list