[Openswan Users] question about road-warrior setup with a natted gateway

Freeman Wang xwang at ubicom.com
Fri Jun 26 13:19:43 EDT 2009



I'm trying to set up a home IPSec VPN gateway with NAT turned on, and
allow road warrior to connect. The IKE exchange is done successfully,
but I can not get it pass ESP traffic. I wonder if my setup is valid or
even allowed.


This is my setup:


            Linux PC (road-warrior)                           uClinux
box       (src

                               ....     <---->


Both netfilters/iptables and openswan are running on the same uClinux
box. If I treat the client as having a fixed IP address, a set up I call
nat-to-host, I can get it work properly after fixing the iptables entry
following the instructions from openswan wiki. However, I have no idea
how to make it work in the case of road-warrior. Here is what confuses


In order to do something like this


# iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

change it to something like: 

# iptables -t nat -A POSTROUTING -o eth0 -s -d ! -j MASQUERADE


It seems I need to know the IP address of the road-warrior to exclude it
from being masqueraded. But how to get the address in the case of
road-warrior? Do I have to turn off NAT if I want to support




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090626/733f8fa1/attachment-0001.html 

More information about the Users mailing list