[Openswan Users] Host-To-Host over NAT

Lipinski, Steven L (Steve) lipinski at alcatel-lucent.com
Wed Apr 8 15:27:11 EDT 2009


Isn't tunnel mode going to encapsulate the original IP Header?  Then
traffic from Host_B to Host_A will contain the 192.168.0.X IP Address in
the original header?

Steve

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, April 08, 2009 3:23 PM
To: Lipinski, Steven L (Steve)
Cc: users at openswan.org
Subject: Re: [Openswan Users] Host-To-Host over NAT

On Wed, 8 Apr 2009, Lipinski, Steven L (Steve) wrote:

> I'm trying to configure two systems (both running Openswan on RedHat)
to
> establish an IPSec tunnel.  This is strictly a host-to-host
connection,
> and I believe I need to use transport mode (I don't believe tunnel
mode
> will work given our restrictions).

That's wrong. Use tunnel mode.

> The trick is that one or both hosts
> may be behind a NAT device, and the mate host need not be configured
> with the private IP Addressing information used behind the NAT device.

ESPECIALLY with NAT involved, use tunnel mode!

Paul


More information about the Users mailing list