[Openswan Users] Tunnel to Cisco w/private ip

Paul Wouters paul at xelerance.com
Thu Sep 14 21:34:12 EDT 2006

On Thu, 14 Sep 2006, Eyal Marantenboim wrote:

> My peer is a Linux 2.6 running openswan with public ip.

So what are you? I am confused.

> My internal network is but the client wants me to nat it
> using
> I’m trying to connect to a client who uses Cisco concentrator behind NAT
> (

I take it that box connects to you and not you to him, since he is behind

> The connection works fine. On both sides we see the tunnel up. The only
> problem is that no traffic is going through.
> Using tcpdump I see that the traffic is not being encrypted. It’s going
> through my external interface (eth1) but it’s not going throught the
> tunnel.

You are using netkey i think and then you cannot see if the traffic is
encrypted or not. It is most likely encrypted.

> Is there a way that instead of using iptables POSTROUTING to nat my
> private network, to use something else?

Make sure to NAT with a \! -d rule to exclude NAT from packets that will
go through an ipsec tunnel.

> This is my config:
> conn tw2
>         type=tunnel
>         authby=secret
>         right=mypublicip
>         rightnexthop=myrouter
>         auto=start
>         left=client’spublicip
>         leftid=
>         leftsubnet=ip I’m trying to hit/32
>         pfs=no

You can't do this. You have to use auto=add, and let the other end
initiate to you.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list