[Openswan Users] nat problem

Francesco Defilippo francesco.defilippo at sys-net.it
Sat Feb 3 06:52:37 EST 2007 

Hello, I'v setup, correctly, a lan2lan tunnel, now I'v this problem, my 
endpoint ask me
to masquerade my lan with a virtual ip:

myLan          Ipsec gateway                 router      
internet                Lan
[192.168.1.x]->[192.168.1.254/192.168.2.3]->[192.168.2.1/a.b.c.d]->[endpointIP]->[10.x]
                              192.168.10.1 (virtual ip, eth1:0)

default gateway of mylan is .1.254, default gateway of my ipsecgw
is .2.1. My internet address is a.b.c.d (a masquerading router)

so my endpoin ask me to masquerade myLan with 192.168.10.1/32 when I go
to endpointLan:

the tunnel its ok, myConf:

conn endpoint
        left=                   192.168.10.1
        leftnexthop=            %defaultroute
        right=                  endpointIP
        rightnexthop=           %defaultroute
        rightsubnet=            endpointLAN/24
        authby=                 secret
        ike=                    3des-md5-modp1024
        keyexchange=            ike
        ikelifetime=            86400
        type=                   tunnel
        keylife=                28800
        auth=                   esp
        esp=                    3des-md5
        pfs=                    no
        auto=                   add
        keyingtries=            1
        disablearrivalcheck=    no
        compress=               no

iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 198K packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain POSTROUTING (policy ACCEPT 2640 packets, 180K bytes)
 pkts bytes target     prot opt in     out     source               
destination        
   75  7543 Cid45C328A530699.0  all  --  any    eth1    
192.168.0.0/16       anywhere           
   72  7363 SNAT       all  --  any    eth1    192.168.0.0/16       
anywhere            to:192.168.2.3
    0     0 SNAT       all  --  any    eth1    192.168.0.0/16       
anywhere            to:192.168.10.1

Chain OUTPUT (policy ACCEPT 3183 packets, 214K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain Cid45C328A530699.0 (1 references)
 pkts bytes target     prot opt in     out     source               
destination        
    3   180 SNAT       all  --  any    eth1    anywhere             
endPointLan/24       to:192.168.10.1

if I ping endPointLan I'v no response, with tcpdump i don't see any packet:

[root at ipsecgw ~]# tcpdump -i eth1 host endPointIP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

any idea?

thnx.



Francesco Defilippo
Partner

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.0382.573859 (114)
Mobile:   +39.348.3806890   
Email:    francesco.defilippo at sys-net.it
------------------------------------------

More information about the Users mailing list