[Openswan Users] 2 ip ranges in our end with OpenSwan

Peter McGill petermcgill at goco.net
Tue Sep 2 10:57:58 EDT 2008 

Indunil,

The problem is that SNAT is done postrouting, meaning that the decision 
to put the packets in the tunnel is done before you SNAT them. So the 
tunnel must allow 192.168.1.0/24 and 10.48.0.0/16 for it to work. Even
then I'm not sure it will work. Please let us know if it does, I have 
not seen a confirmed working setup on this list for NATed tunnel 
traffic. The only other choices are a) NAT the traffic before it reaches
the openswan server on your network, or b) setup the tunnel for 
192.168.1.0/24 and have the remote end do the NATing after they receive 
it. I'd really like to know if you get this working how you did it. I 
had a similar request from a business partner, but we gave up trying to 
get it to work and just used the tunnel without NATing the traffic.

Peter

Indunil Jayasooriya wrote:
> Hi Peter,
> 
> 
> 192.168.1.1/24 is the primary ip.
> 10.48.0.1/16 is the secondary ip to the same interface.
> 
> I have done SNAT. That is the situation on the firewall runnig openswan.
> 
> in that case, Will it be possible?
> 
> 
> 
> 
> On 9/2/08, Peter McGill <petermcgill at goco.net> wrote:
>> Indunil,
>>
>> Openswan does not NAT addresses, you cannot have a working conn
>> with 10.48.0.0/16 on your side when your addresses are 192.168.1.0/24.
>> You must use 192.168.1.0/24 which matches your lan. Unless your saying
>> that you've added a second lan using 10.48.0.0/16. The output of ifconfig
>> would help clarify your situation.
>>
>> And please turn these off, they produce a mountain of useless logs:
>>        #klipsdebug=none
>>        #plutodebug=none
>>
>> Peter
>>
>>
>> Indunil Jayasooriya wrote:
>>> Hi,
>>>
>>> I am running Openswan on Centos 5 firewall. On my side, I have only
>>> one subnet that is 192.168.1.0/24. On the other side there are 4
>>> subnets. We can conncect to those each other.  it works fine.
>>>
>>> Now, The other side has added another subnet. They asked to use a
>>> diffrent ip range to access  it. they have given 10.48.0.0/16 to use
>>> as the other ip range for ourt side.
>>>
>>> But, New ip range still cant access the other side.
>>>
>>> pls see my ipsec.conf file .
>>>
>>> [root at firewall ~]# cat /etc/ipsec.conf
>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>> #
>>> # Manual:     ipsec.conf.5
>>> #
>>> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>>>
>>> version 2.0     # conforms to second version of ipsec.conf specification
>>>
>>> # basic configuration
>>> config setup
>>>        interfaces=%defaultroute
>>>        # Debug-logging controls:  "none" for (almost) none, "all" for
>> lots.
>>>        klipsdebug=all
>>>        plutodebug=all
>>>        nat_traversal=yes
>>>
>>> conn tunnelipsec1
>>>        type=tunnel
>>>        left=220.247.213.202
>>>        leftsubnet=192.168.1.0/24
>>>        right=196.4.52.10
>>>        rightsubnet=196.4.49.0/24
>>>        esp=3des
>>>        authby=secret
>>>        keyexchange=ike
>>>        pfs=no
>>>        auto=start
>>>
>>> conn tunnelipsec2
>>>        type=tunnel
>>>        left=220.247.213.202
>>>        leftsubnet=192.168.1.0/24
>>>        right=196.4.52.10
>>>        rightsubnet=196.4.51.0/24
>>>        esp=3des
>>>        authby=secret
>>>        keyexchange=ike
>>>        pfs=no
>>>        auto=start
>>>
>>> conn tunnelipsec3
>>>        type=tunnel
>>>        left=220.247.213.202
>>>        leftsubnet=192.168.1.0/24
>>>        right=196.4.52.10
>>>        rightsubnet=10.10.99.0/24
>>>        esp=3des
>>>        authby=secret
>>>        keyexchange=ike
>>>        pfs=no
>>>        auto=start
>>>
>>> conn tunnelipsec4
>>>        type=tunnel
>>>        left=220.247.213.202
>>>        leftsubnet=192.168.1.0/24
>>>        right=196.4.52.10
>>>        rightsubnet=10.10.250.0/24
>>>        esp=3des
>>>        authby=secret
>>>        keyexchange=ike
>>>        pfs=no
>>>        auto=start
>>>
>>> conn tunnelipsec5
>>>        type=tunnel
>>>        left=220.247.213.202
>>>        leftsubnet=10.48.0.0/16
>>>        right=196.4.52.10
>>>        rightsubnet=10.254.0.0/16
>>>        esp=3des
>>>        authby=secret
>>>        keyexchange=ike
>>>        pfs=no
>>>        auto=start
>>>
>>> #Disable Opportunistic Encryption
>>> include /etc/ipsec.d/examples/no_oe.conf
>>>
>>> I have addes belwo ip tables rules as well.
>>>
>>>
>>> iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
>>> iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
>>> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
>>> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
>>> iptables -t nat -A POSTROUTING -o eth1 -d 10.254.0.0/16 -j ACCEPT
>>>
>>>
>>> $IPTABLES -t nat -A POSTROUTING -o eth1  -s 192.168.1.0/24 -j SNAT
>>> --to-source 220.247.213.202
>>> $IPTABLES -t nat -A POSTROUTING -o eth1  -s 10.48.0.0/16 -j SNAT
>>> --to-source 220.247.213.202
>>>
>>> We can access first 4 subnets of the other side with 192.168.1.0/24 ip
>>> range. But, We ca not access the last subnet of the other side with
>>> 10.48.0.0/16 ?
>>>
>>> Could you pls expalin why?
>>>
>>>
>>>
>>>
> 
>

More information about the Users mailing list