[Openswan Users] SNAT with Openswan Help
imac at netstatz.com
Mon Apr 28 04:07:41 EDT 2008
Currently I have a partially working configuration using SNAT and
Openswan, however it only works from the actual Openswan device.
The Network Config:
My Side: DLINK DFL-800 Client Side: PIX [VPN 3000]
1.2.3.X/24===[Public 1]...[Public 2]===4.5.6.X/24(Private)
The client has requested that the VPN tunnel use source and destination
IPs allocated from their network space. They request that all inbound
VPN traffic be SNAT'd from Y.Y.Y.Y/32 (an IP foreign to our
network/interfaces). This is effectively a one-way tunnel, with all
traffic initiated from network 184.108.40.206/24.
After Openswan is setup, it looks like this, with a route to 7.8.9.X/24
on the left GW to redirect VPN traffic to the Openswan Box (Running
1.2.3.X/24===[Public 1]...[Public 2]===7.8.9.X/24(Private)
SNAT to Y.Y.Y.Y/32 ----VPN---- 7.8.9.X/24
whack --status shows this
Y.Y.Y.Y/32===220.127.116.11[Public 1]...[Public 2]===7.8.9.X/24(Private)
Using shorewall, generates the following three lines (part of the larger
shorewall script in /var/lib/shorewall/.start) to do the SNAT part to
iptables -t nat -N br0_masq
iptables -t nat -A br0_masq -s 18.104.22.168/24 -d 22.214.171.124/24 -m policy /
--pol none --dir out -j SNAT --to-source Y.Y.Y.Y
iptables -t nat -A POSTROUTING -o br0 -j br0_masq
After which, from the Openswan box locally, all the traffic is SNAT'd
from Y.Y.Y.Y and travels over the VPN (and back) without any issues.
This was straightforward.
So I have 126.96.36.199-SNAT(Y.Y.Y.Y) -> 7.8.9.X working perfectly. But I
need the rest of the network to go over the VPN.
But when I send pings from other devices on the 188.8.131.52/24 network to
184.108.40.206/24 network, they arrive at the openswan box (Verified by
Tcpdump) but then the box sends back "host unreachable" icmp .. even
though the tunnel is up and locally the NAT and forward over the VPN
After reading around, I note the following,
and some online reference to Patrick Hardy's work on this.
How do I get iptables to put my routed traffic to my openswan box over
the VPN with the SNAT ?? I think I am close, just need somebody who has
done this before to tell me the commands.
I can't seem to use SNAT in PREROUTING which was my first thought. I
need some help on how to make the NAT happen before the VPN routing
decision. Policy routing? Anyone know how to do this?
Any help appreciated,
More information about the Users