[Openswan Users] double natted tunnel
Jacco Kok
jacco at 0xcafebabe.nl
Fri Mar 7 10:24:33 EST 2008
LS, I am trying to set up a lan/roadwarrior type of vpn, with a twist:
lan(172.16.42.0/24) - vpn-gw (172.16.42.1/172.20.1.50) - natting-fw -
network - natting-fw - roadwarrior(10.80.6.2)
The first natting fw will translate 172.20.1.50 to 10.0.53.20
The second natting fw will translate 10.80.6.2 to 10.0.13.71
the config are:
on the gateway:
conn east-roadwarriors
#right=10.0.53.20
right=172.20.1.50
rightnexthop=172.20.1.1
rightsubnet=172.16.42.0/24
rightcert=/etc/ipsec.d/certs/westCert.pem
rightsourceip=172.20.1.50
leftrsasigkey=%cert
left=%any
leftid="C=NL, ST=ut, O=Bigcorp, OU=Screens, CN=*, E=*"
#leftsubnet=vhost:%no:%priv
#type=tunnel
auto=add
on the roadwarrior:
conn roadwarrior-east
right=10.0.53.20
#right=172.20.1.50
#rightnexthop=10.0.53.20
rightsubnet=172.16.42.0/24
rightid="C=NL, ST=ut, O=Bigcorp, OU=Administration,
CN=172.20.1.50, E=root at localhost"
left=%defaultroute
#left=10.80.6.2
#leftsubnet=vhost:%no,%priv
#type=tunnel
leftcert=eastCert.pem
auto=start
The good news is that the vpn will be eshtablished:
Mar 7 15:50:00 ford-prefect pluto[16719]: "east-roadwarriors"[1]
10.0.13.71 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x6a60efb8
<0x01809b7e xfrm=AES_0-HMAC_SHA1 NATD=10.0.13.71:4500 DPD=none}
The problem is that on the gateway traffic sent to 10.0.13.71 will go into
the tunnel:
17:06:46.536785 IP 10.0.53.20.ipsec-nat-t > 10.80.6.2.ipsec-nat-t:
UDP-encap: ESP(spi=0x6a60efb8,seq=0x11), length 100
17:06:46.536785 IP 172.16.42.1.33441 > 10.0.13.71.webcache: S
186931007:186931007(0) win 5840 <mss 1460,sackOK,timestamp 195763402
0,nop,wscale 6>
Of course the otherside does not understand. The address there is 10.80.6.2
My question is where did I go wrong?
--
Try to relax and enjoy the crisis.
-- Ashleigh Brilliant
Jacco Kok
More information about the Users
mailing list