[Openswan Users] NAT and VPN

Andy Gay andy at andynet.net
Tue Sep 26 14:21:17 EDT 2006


On Tue, 2006-09-26 at 12:42 -0500, Eyal Marantenboim wrote:
> Yes, left=192.168.51.50.
> I thought about KLIPS, but I wasn’t sure if I can do it without KLIPS (since I need to recompile the kernel).

It should work with NETKEY as well if your kernel is 2.6.16 or later.

> 
> Thanks!
> 
> 
> 
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: Tuesday, September 26, 2006 12:23
> To: Eyal Marantenboim
> Cc: users
> Subject: Re: [Openswan Users] NAT and VPN
> 
> On Tue, 26 Sep 2006, Eyal Marantenboim wrote:
> 
> > I have a client that wants me to NAT my subnet (10.1.1.0/24) using
> > 192.168.51.50.
> 
> so your ipsec connection has left=192.168.51.50 I assume?
> 
> > My gateway is the same box that does the vpn tunnel.
> >
> > When I try to NAT the packets, linux doesn’t send it through the tunnel.
> > It sends it unencrypted to the internet.
> >
> > When I change my subnet in my ipsec.conf and I delete the NAT rule, the
> > packets go through the tunnel.
> >
> > The problem is that the client wants me to do NAT.
> >
> > I there a way to SNAT a packet and then send it through the tunnel all
> > on the same box?
> 
> Your best bet is to use KLIPS, and NAT on the internal ethX device. Then
> the outgoing packets should get into ipsec0 and get encrypted.
> 
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list