[Openswan Users] openSWAN to Cisco IOS

Christian Brechbühler brechbuehler at gmail.com
Fri Nov 24 21:16:58 EST 2006 

On 11/24/06, Peter McGill <petermcgill at goco.net> wrote:
>
> On Nov 24, 2006 Christian Brechbühler wrote:
> > The Cisco side instructed us to
> > source-network-addres-translate all packets destinated to them, which we
> do with this rule:
> > -A POSTROUTING -d 10.14.8.0/255.255.255.0 -o eth1 -j SNAT --to-source
> 192.168.232.10
>
> I've never SNAT'd through an Openswan tunnel before so I'm not exactly
> sure how it would work.
> Although if you get it working, I'd like to know how, as I have a
> situation myself where I'm going to need it.
>
> Let's confirm your setup details, correct me if I'm wrong but your setup
> is as follows:
>
> Your Private LAN
> 10.0.0.0/24
> |
> Openswan 2.4.4 (ipsec --version ?Klips or NETKEY?)
>
 Linux Openswan U2.4.4/K2.6.11-gentoo-r5 (netkey)

Linux 2.6.11-gentoo-r5
> Eth1 public internet interface
> |
> Internet
> |
> Cisco
> |
> Remote Network
> 10.14.8.0/24


Actually 10.14.8.0/29  --  the iptables rule is too general.  In our view of
the world, the above diagram is correct.

Where does 192.168.232.10 fit in?

Is it just an unused address chosen at the Cisco end to NAT your traffic to
> them?


In the Cisco's view, our subnet is 192.168.232.0/24 -- yes, you're probably
right about the unused address.

Have you tried the SNAT'ing with your lithium test setup?

No, thanks, that's another idea to try.

If I've got your setup right above, then...

> First I'd set your leftsubnet=192.168.232.10/32 again (and on the Cisco).

I don't see a difference in the behavior any more.  I assume they changed it
to Xsubnetwithin

If NETKEY the -o eth1 -j SNAT is good (if that is your external interface.)
> With Klips it would be -o ipsec0 -j SNAT ...


Pretty sure it's  NETKEY -- see above.  No ipsecX interfaces; we have eth0,
eth1, lo, ppp0, and ppp1.  The latter two are for Windows machines, which do
PPP over L2TP over IPsec.

That's how I would guess it should work, however again, I've never actually
> SNAT'd through a tunnel.
> Perhaps someone else has, and/or has some insight?
>

I'll let you know if I get it to work.  But even without SNAT, I get this
weird situation (not serious, but may be the same issue):  When lithium
establishes an IPsec tunnel to the vpn gateway, connections that lithium
initiates (ping, ssh, traceroute, http) work fine.  Any connection to
lithium that the gateway initiates fails.  Is this normal?  I suspect NO,
and the firewall on the gateway may be ruining things.

/Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061124/af3fe70e/attachment.html

More information about the Users mailing list