[Openswan Users] Hiding NAT "in the tunnel"
Paul Wouters
paul at xelerance.com
Wed Feb 7 13:55:28 EST 2007
On Wed, 7 Feb 2007, Fikar, Milan wrote:
> possibly Openswan, I have seen the following functionality. Instead of a
> simple
> tunnel built between two public IPs (A/B) and connecting two LAN
> subnets, e.g.:
>
> IP A IP B
> 192.168.1.0/24 subnet ---> ========IPSec=traffic===== <--- 10.0.0.0/24
> subnet
>
> it was able to do also this:
>
> 192.168.1.0/24 NATted into one IP C ---> ===IPSec==== <--- 10.0.0.0/24
> subnet
>
> All traffic going from 192.168.1.0/24 to 10.0.0.0/24 was NATted first as
> a
> <IP C + port number> pair and only then put into the tunnel. I.e., on
> the other
> side, the party could see only traffic from IP C, no 192.168.1.0/24
> addresses.
>
> This unique IP C address is used to distinguish among many clients with
> the same
> LAN subnets (side A), so that all of them can have a tunnel to a
> datacenter (side B).
> Each client has its own dedicated IP C address.
>
> Is it possible to configure this scenario using only Openswan? Or do
> I have to use iptables or does maybe OpenVPN play some role in this?
Yes you can. If you use KLIPS, you can use iptables to NAT packets on
the ipsec0 interface, and change the policy to make a tunnel for IP C/32.
With NETKEY, things are a bit more complex, and you'll end up having
to mark packets and use certain very new 2.6.18+ kernels due to changes
in the SNAT mechanism.
Paul
More information about the Users
mailing list