[Openswan Users] Hiding NAT "in the tunnel"
Fikar, Milan
milan.fikar at siemens.com
Wed Feb 7 09:34:31 EST 2007
Hi all,
in an embedded box running Linux with OpenVPN and some IPSec
implementation,
possibly Openswan, I have seen the following functionality. Instead of a
simple
tunnel built between two public IPs (A/B) and connecting two LAN
subnets, e.g.:
IP A IP B
192.168.1.0/24 subnet ---> ========IPSec=traffic===== <--- 10.0.0.0/24
subnet
it was able to do also this:
192.168.1.0/24 NATted into one IP C ---> ===IPSec==== <--- 10.0.0.0/24
subnet
All traffic going from 192.168.1.0/24 to 10.0.0.0/24 was NATted first as
a
<IP C + port number> pair and only then put into the tunnel. I.e., on
the other
side, the party could see only traffic from IP C, no 192.168.1.0/24
addresses.
This unique IP C address is used to distinguish among many clients with
the same
LAN subnets (side A), so that all of them can have a tunnel to a
datacenter (side B).
Each client has its own dedicated IP C address.
Is it possible to configure this scenario using only Openswan? Or do
I have to use iptables or does maybe OpenVPN play some role in this?
Any input is appreciated.
Thank you.
--Milan Fikar
More information about the Users
mailing list