[Openswan Users] Managing site to site VPNs where either end may have enforced NAT applied to it

[Anthony]

Hi all,

Over the past several months at work, we've been looking into "3G"
wireless solutions for backup internet connectivity. The issue with
this is, is that in Australia, the majority of "business grade" 3G
services either cost an arm and a leg or are pre-NAT'd, such that when
a site cuts over to 3G, it looses the ability to accept inbound
connections making it unreachable.

Ok.. so one establishes a VPN out - problem solved..
.. but what happens if there's no designated "reliable" server per se
- and any site may fail over to 3G?

Ideally this means if one site has a public IP then the other sites
should be able to connect to it and once VPNs are up who linked where
first shouldn't matter.

The appliances we have seem to use Openswan 2.6.x (is what pluto
--version says on them).

Has anyone done this kind of setup where sites may switch back and
forth between playing initiator and responder (I suspect it's likely
I'll need to override some of the "smarts" of the appliance, but I do
have SSH CLI access to it).

Regards,
Anthony