[Openswan Users] NAT for packets going into an openswan tunnel

Frank Wilson frank.wilson at sidonis.com
Fri May 15 04:43:20 EDT 2009

Thanks for your reply. In fact, all I needed to do was
modify some default firewall rules that came with my distro.
I needed to explicitly FORWARD traffic from my LAN interface 
to the ipsec interface aswell as doing the NAT (I'm using
openWRT "whiterussian").

With NETKEY, if you have the leftsubnet limited to just the
vpn gateway (i.e. leftsubnet=VPN_GATEWAY_IP/32). Then as long
as you have /proc/sys/net/ipv4/ip_forward = 1 it will automatically
forward and NAT any packets from machines that are using
the openswan host as a gateway for the remote network. If you
are having difficulty setting this up I can give you an example 


-----Original Message-----
From: Tiago Durante [mailto:tiagodurante at gmail.com] 
Sent: 13 May 2009 21:16
To: Frank Wilson
Subject: Re: [Openswan Users] NAT for packets going into an openswan tunnel


On Wed, May 13, 2009 at 12:09 PM, Frank Wilson <frank.wilson at sidonis.com>
> Is there anything else I should try? I have a similar setup working with
> Openswan 2.4 on a 2.6/NETKEY kernel.

-- Sorry to reply with another question, but how do you do it using NETKEY?

When I'm using KLIPS I found quite easy to NAT tha packages... All I
do is something like that:

iptables -t nat -A POSTROUTING -s $myLAN -o ipsec0 -d $someVPN -j SNAT
--to $someIP

But when I'm using NETKEY I've no idea how to do that as the NETKEY
doesn't create the ipsecX interface... right?


Tiago Durante

Perseverance is the hard work you do after you
get tired of doing the hard work you already did.
-- Newt Gingrich

More information about the Users mailing list