[Openswan Users] openSWAN to Cisco IOS

Peter McGill petermcgill at goco.net
Fri Nov 24 16:47:12 EST 2006

On Nov 24, 2006 Christian Brechbühler wrote:
> Well our subnet is, so that doesn't match anyway.  The Cisco side instructed us to
> source-network-addres-translate all packets destinated to them, which we do with this rule: 
> -A POSTROUTING -d -o eth1 -j SNAT --to-source 

I've never SNAT'd through an Openswan tunnel before so I'm not exactly sure how it would work.
Although if you get it working, I'd like to know how, as I have a situation myself where I'm going to need it.

Let's confirm your setup details, correct me if I'm wrong but your setup is as follows:

Your Private LAN
Openswan 2.4.4 (ipsec --version ?Klips or NETKEY?)
Linux 2.6.11-gentoo-r5
Eth1 public internet interface
Remote Network

Where does fit in?
Is it just an unused address chosen at the Cisco end to NAT your traffic to them?

Have you tried the SNAT'ing with your lithium test setup?

If I've got your setup right above, then...
First I'd set your leftsubnet= again (and on the Cisco).
If NETKEY the -o eth1 -j SNAT is good (if that is your external interface.)
With Klips it would be -o ipsec0 -j SNAT ...

That's how I would guess it should work, however again, I've never actually SNAT'd through a tunnel.
Perhaps someone else has, and/or has some insight?


More information about the Users mailing list