[Openswan Users] NAT and VPN

Eyal Marantenboim eyalm at cardonhealthcare.com
Tue Sep 26 13:42:33 EDT 2006


Yes, left=192.168.51.50.
I thought about KLIPS, but I wasn’t sure if I can do it without KLIPS (since I need to recompile the kernel).

Thanks!



-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Tuesday, September 26, 2006 12:23
To: Eyal Marantenboim
Cc: users
Subject: Re: [Openswan Users] NAT and VPN

On Tue, 26 Sep 2006, Eyal Marantenboim wrote:

> I have a client that wants me to NAT my subnet (10.1.1.0/24) using
> 192.168.51.50.

so your ipsec connection has left=192.168.51.50 I assume?

> My gateway is the same box that does the vpn tunnel.
>
> When I try to NAT the packets, linux doesn’t send it through the tunnel.
> It sends it unencrypted to the internet.
>
> When I change my subnet in my ipsec.conf and I delete the NAT rule, the
> packets go through the tunnel.
>
> The problem is that the client wants me to do NAT.
>
> I there a way to SNAT a packet and then send it through the tunnel all
> on the same box?

Your best bet is to use KLIPS, and NAT on the internal ethX device. Then
the outgoing packets should get into ipsec0 and get encrypted.

Paul


More information about the Users mailing list