[Openswan Users] Same subnets on both ends

Norman Rasmussen norman at rasmussen.co.za
Tue May 30 12:12:11 CEST 2006 

On 5/30/06, Marc McGuinness <mailing-list at mcguinness.de> wrote:
> What you say is that all I have to do is to enter this rule for source
> NAT on the VPN gateways:
>
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ipsec0 -j SNAT \
> --to 192.168.1.0/24
>
> Is that correct?

You might also have to do DNAT, I'm not 100% sure (also --to is
--to-source). So, eg:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ipsec0 -j SNAT \
--to-source 192.168.1.0/24

iptables -t nat -A PREROUTING -d 192.168.1.0/24 -i ipsec0 -j DNAT \
--to-destination 192.168.0.0/24

> Is it possible to use ipsec0 in a postrouting rule? I've checked the
> Openswan book and it says on page 96:
>
> "If there is an IP conflict, it is possible to do some
> NAT on them (outside the VPN tunnel, not inside!) but it might turn out
> to be more costly and problematic than just renumbering one end,
> especially if this is an end user's home network."
>
> What does it mean, when it says "outside the VPN tunnel, not inside"?

I'm not 100% sure, but it only makes sense if you NAT the
PRE-encrypted traffic.  Have you got a web reference to that quote?
(It might make more sense, if I read the surrounding text)

> > Alternatively you could only use NAT on one of the networks.  Then you
> > have to nat the current network _and_ the conflicting network's IPs -
> > one network does 2 sets of NAT.
>
> Sorry, but I don't have a clue what you mean. Why do I have to do 2 sets
> of NAT, when I only use NAT on one of the networks?

You're going to need 2 pairs of NAT (SNAT+DNAT*2) to do the job.

It shouldn't matter if you have 2 rules on each router:
router1:
 POSTROUTING -s 192.168.0.0/24 -o ipsec0 -j SNAT --to-source 192.168.1.0/24
 PREROUTING -d 192.168.1.0/24 -i ipsec0 -j DNAT --to-destination 192.168.0.0/24
router2:
 POSTROUTING -s 192.168.0.0/24 -o ipsec0 -j SNAT --to-source 192.168.2.0/24
 PREROUTING -d 192.168.2.0/24 -i ipsec0 -j DNAT --to-destination 192.168.0.0/24

or install all 4 rules all on one router:
 POSTROUTING -s 192.168.0.0/24 -o ipsec0 -j SNAT --to-source 192.168.1.0/24
 PREROUTING -d 192.168.1.0/24 -i ipsec0 -j DNAT --to-destination 192.168.0.0/24
 POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 192.168.2.0/24
 PREROUTING -d 192.168.2.0/24 -i eth0 -j DNAT --to-destination 192.168.0.0/24

notice how the second set of rules is slightly different.

The only real difference is how the other networks see the hosts:

In scheme1: both networks 'renumber', everyone outside both networks
uses the same ip's to address them 192.168.1.0 and 192.168.2.0.

In scheme2: only one network 'renumbers', everyone outside the single
netwoks uses 192.168.1.0 to talk to it.  Additionally _only this_
network sees the other un-renumbered network as 192.168.2.0.

-- 
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the Users mailing list