[Openswan Users] question about road-warrior setup with a natted gateway

[Paul Wouters]

On Fri, 26 Jun 2009, Freeman Wang wrote:

> In my setup, the road warrior has a dynamic public IP address, and the gateway has a static public IP address. The gateway also has a private subnet 192.168.0.0/24 and they use NAT to talk to the outside.
>
> Now if I have a road warrior openswan VPN connection up, how can I make the traffic to the road warrior by-pass the NAT filter rule and go to the eroute instead? I hope, in the same time, I can still let the rest of the private LAN use NAT when they are not talking to the road warrior.

With KLIPS you could run NAT on the eth0 interface and exclude NAT for
IPsec packets (proto ESP and UDP 500/4500). Packets for the tunnel, which
would hit the ipsec interface first, would get encrypted, and put on the eth0
interface and then be skipped from NAT.

With NETKEY, you might be able to use the MARKing facility by marking
incoming IPsec packets. The mark survives decrpyting, and the packet goes on,
gets a reply, which I hope would inherit the MARK, and you could then skip
NAT'ing for MARKed packets.

Though I wonder if ipsec processing isnt happening before NAT anyway on
modern NETKEY kernels?

> I saw a _updown script file which seems allowing users to update some firewall rules upon connection status change, and it seems to have all connection information passed from pluto when invoked. Should I modify that script? Are there any samples?

That seems risky and dangerous, as you'd also have to do a lot of cleanup
afterwards.

Paul