[Openswan Users] question about road-warrior setup with a natted gateway

Freeman Wang xwang at ubicom.com
Fri Jun 26 17:02:35 EDT 2009

I was lazy and just copy-pasted the instructions from the openswan wiki page. Sorry if it confused you.

I'm assuming my road warrior is a Linux laptop running openswan and gets its dynamic IP address from somewhere. For now, I haven't gone to the step to make it behind a NAT gateway. 

In my setup, the road warrior has a dynamic public IP address, and the gateway has a static public IP address. The gateway also has a private subnet and they use NAT to talk to the outside.

Now if I have a road warrior openswan VPN connection up, how can I make the traffic to the road warrior by-pass the NAT filter rule and go to the eroute instead? I hope, in the same time, I can still let the rest of the private LAN use NAT when they are not talking to the road warrior.

The configuration manual in the openswan wiki page suggests replacing the NAT rule with an exception for the peer subnet. But I won't know the peer address until the IPSec connection is up. (The same trick has been working fine for me for cases other than road warrior.)

I saw a _updown script file which seems allowing users to update some firewall rules upon connection status change, and it seems to have all connection information passed from pluto when invoked. Should I modify that script? Are there any samples? 


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Friday, June 26, 2009 12:30 PM
To: Freeman Wang
Cc: users at openswan.org
Subject: Re: [Openswan Users] question about road-warrior setup with a natted gateway

On Fri, 26 Jun 2009, Freeman Wang wrote:

> In order to do something like this
>  # iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE
> change it to something like:
>  # iptables -t nat -A POSTROUTING -o eth0 -s -d ! -j MASQUERADE
> It seems I need to know the IP address of the road-warrior to exclude it
> from being masqueraded.

You should not need that. I am not sure I understand why you think you
need to? If your roadwarrior has a subnet behind it that needs to connect
to a remote ipsec gateway, then it should just not NAT/MASQ anything with
source address from within that subnet.


More information about the Users mailing list