[Openswan Users] Same subnets on both ends

Norman Rasmussen norman at rasmussen.co.za
Tue May 30 12:12:11 CEST 2006

On 5/30/06, Marc McGuinness <mailing-list at mcguinness.de> wrote:
> What you say is that all I have to do is to enter this rule for source
> NAT on the VPN gateways:
> iptables -t nat -A POSTROUTING -s -o ipsec0 -j SNAT \
> --to
> Is that correct?

You might also have to do DNAT, I'm not 100% sure (also --to is
--to-source). So, eg:

iptables -t nat -A POSTROUTING -s -o ipsec0 -j SNAT \

iptables -t nat -A PREROUTING -d -i ipsec0 -j DNAT \

> Is it possible to use ipsec0 in a postrouting rule? I've checked the
> Openswan book and it says on page 96:
> "If there is an IP conflict, it is possible to do some
> NAT on them (outside the VPN tunnel, not inside!) but it might turn out
> to be more costly and problematic than just renumbering one end,
> especially if this is an end user's home network."
> What does it mean, when it says "outside the VPN tunnel, not inside"?

I'm not 100% sure, but it only makes sense if you NAT the
PRE-encrypted traffic.  Have you got a web reference to that quote?
(It might make more sense, if I read the surrounding text)

> > Alternatively you could only use NAT on one of the networks.  Then you
> > have to nat the current network _and_ the conflicting network's IPs -
> > one network does 2 sets of NAT.
> Sorry, but I don't have a clue what you mean. Why do I have to do 2 sets
> of NAT, when I only use NAT on one of the networks?

You're going to need 2 pairs of NAT (SNAT+DNAT*2) to do the job.

It shouldn't matter if you have 2 rules on each router:
 POSTROUTING -s -o ipsec0 -j SNAT --to-source
 PREROUTING -d -i ipsec0 -j DNAT --to-destination
 POSTROUTING -s -o ipsec0 -j SNAT --to-source
 PREROUTING -d -i ipsec0 -j DNAT --to-destination

or install all 4 rules all on one router:
 POSTROUTING -s -o ipsec0 -j SNAT --to-source
 PREROUTING -d -i ipsec0 -j DNAT --to-destination
 POSTROUTING -s -o eth0 -j SNAT --to-source
 PREROUTING -d -i eth0 -j DNAT --to-destination

notice how the second set of rules is slightly different.

The only real difference is how the other networks see the hosts:

In scheme1: both networks 'renumber', everyone outside both networks
uses the same ip's to address them and

In scheme2: only one network 'renumbers', everyone outside the single
netwoks uses to talk to it.  Additionally _only this_
network sees the other un-renumbered network as

- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the Users mailing list