[Openswan Users] SNAT with Openswan Help

Ian MacDonald imac at netstatz.com
Mon Apr 28 04:07:41 EDT 2008


Currently I have a partially working configuration using SNAT and
Openswan, however it only works from the actual Openswan device.

The Network Config:

My Side:  DLINK DFL-800          Client Side: PIX [VPN 3000]
1.2.3.X/24===[Public 1]...[Public 2]===4.5.6.X/24(Private)

The client has requested that the VPN tunnel use source and destination
IPs allocated from their network space. They request that all inbound
VPN traffic be SNAT'd from Y.Y.Y.Y/32 (an IP foreign to our
network/interfaces).  This is effectively a one-way tunnel, with all
traffic initiated from network 1.2.3.0/24. 

After Openswan is setup, it looks like this, with a route to 7.8.9.X/24
on the left GW to redirect VPN traffic to the Openswan Box (Running
Debian Etch)

1.2.3.X/24===[Public 1]...[Public 2]===7.8.9.X/24(Private)
           |                           |
        1.2.3.80(openswan)             PIX
        SNAT to Y.Y.Y.Y/32 ----VPN---- 7.8.9.X/24 

whack --status shows this

Y.Y.Y.Y/32===1.2.3.80[Public 1]...[Public 2]===7.8.9.X/24(Private)

Using shorewall, generates the following three lines (part of the larger
shorewall script in /var/lib/shorewall/.start) to do the SNAT part to
Y.Y.Y.Y

iptables -t nat -N br0_masq

iptables -t nat -A br0_masq -s 1.2.3.0/24 -d 7.8.9.0/24 -m policy /
--pol none --dir out -j SNAT --to-source Y.Y.Y.Y

iptables -t nat -A POSTROUTING -o br0 -j br0_masq


After which, from the Openswan box locally, all the traffic is SNAT'd
from Y.Y.Y.Y and travels over the VPN (and back) without any issues.
This was straightforward. 

So I have 1.2.3.80-SNAT(Y.Y.Y.Y) -> 7.8.9.X working perfectly. But I
need the rest of the network to go over the VPN.

But when I send pings from other devices on the 1.2.3.0/24 network to
7.8.9.0/24 network, they arrive at the openswan box (Verified by
Tcpdump) but then the box sends back "host unreachable" icmp .. even
though the tunnel is up and locally the NAT and forward over the VPN
works fine.

After reading around, I note the following, 
http://lists.openswan.org/pipermail/users/2007-July/012783.html

and some online reference to Patrick Hardy's work on this. 

How do I get iptables to put my routed traffic to my openswan box over
the VPN with the SNAT ?? I think I am close, just need somebody who has
done this before to tell me the commands.

I can't seem to use SNAT in PREROUTING which was my first thought. I
need some help on how to make the NAT happen before the VPN routing
decision.  Policy routing? Anyone know how to do this?

Any help appreciated, 
Ian.



More information about the Users mailing list