[Openswan Users] question about road-warrior setup with a natted gateway

Freeman Wang xwang at ubicom.com
Mon Jun 29 13:11:05 EDT 2009

Thanks a lot, Paul. I will switch to KLIPS and try. I have been using
NETKEY, and it looks to me that NAT always happens before ipsec
processing. Otherwise I won't get into this trouble :(

The MARKing thing seems in-complete? At least the first outgoing packet
(initiating) will not be marked properly. Will outgoing traffic causing
the connection being marked too? I know almost nothing about
netfilter/iptables now, but I plan to read this week and will try the
trick to see if we have any luck.

Thanks again

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Friday, June 26, 2009 9:53 PM
To: Freeman Wang
Cc: users at openswan.org
Subject: RE: [Openswan Users] question about road-warrior setup with a
natted gateway

On Fri, 26 Jun 2009, Freeman Wang wrote:

> In my setup, the road warrior has a dynamic public IP address, and the
gateway has a static public IP address. The gateway also has a private
subnet and they use NAT to talk to the outside.
> Now if I have a road warrior openswan VPN connection up, how can I
make the traffic to the road warrior by-pass the NAT filter rule and go
to the eroute instead? I hope, in the same time, I can still let the
rest of the private LAN use NAT when they are not talking to the road

With KLIPS you could run NAT on the eth0 interface and exclude NAT for
IPsec packets (proto ESP and UDP 500/4500). Packets for the tunnel,
would hit the ipsec interface first, would get encrypted, and put on the
interface and then be skipped from NAT.

With NETKEY, you might be able to use the MARKing facility by marking
incoming IPsec packets. The mark survives decrpyting, and the packet
goes on,
gets a reply, which I hope would inherit the MARK, and you could then
NAT'ing for MARKed packets.

Though I wonder if ipsec processing isnt happening before NAT anyway on
modern NETKEY kernels?

> I saw a _updown script file which seems allowing users to update some
firewall rules upon connection status change, and it seems to have all
connection information passed from pluto when invoked. Should I modify
that script? Are there any samples?

That seems risky and dangerous, as you'd also have to do a lot of


More information about the Users mailing list