[Openswan Users] openSWAN to Cisco IOS
Peter McGill
petermcgill at goco.net
Fri Nov 24 16:47:12 EST 2006
On Nov 24, 2006 Christian Brechbühler wrote:
> Well our subnet is 10.0.0.0/24, so that doesn't match anyway. The Cisco side instructed us to
> source-network-addres-translate all packets destinated to them, which we do with this rule:
> -A POSTROUTING -d 10.14.8.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.232.10
I've never SNAT'd through an Openswan tunnel before so I'm not exactly sure how it would work.
Although if you get it working, I'd like to know how, as I have a situation myself where I'm going to need it.
Let's confirm your setup details, correct me if I'm wrong but your setup is as follows:
Your Private LAN
10.0.0.0/24
|
Openswan 2.4.4 (ipsec --version ?Klips or NETKEY?)
Linux 2.6.11-gentoo-r5
Eth1 public internet interface
|
Internet
|
Cisco
|
Remote Network
10.14.8.0/24
Where does 192.168.232.10 fit in?
Is it just an unused address chosen at the Cisco end to NAT your traffic to them?
Have you tried the SNAT'ing with your lithium test setup?
If I've got your setup right above, then...
First I'd set your leftsubnet=192.168.232.10/32 again (and on the Cisco).
If NETKEY the -o eth1 -j SNAT is good (if that is your external interface.)
With Klips it would be -o ipsec0 -j SNAT ...
That's how I would guess it should work, however again, I've never actually SNAT'd through a tunnel.
Perhaps someone else has, and/or has some insight?
Peter
More information about the Users
mailing list