[Openswan Users] Source NATTING IPSEC traffic
Willie Gillespie
wgillespie+openswan at es2eng.com
Fri Aug 20 16:42:17 EDT 2010
Duane Mulder wrote:
> Hello All
> So I am looking to change the source IP address of traffic that is
> destined to go through an IPSEC tunnel.
>
> 10.41.0.0 -------[IPSECA]===================[IPSEC_B]------10.68.0.0
>
> What I need to do is SNAT the 10.42.0.0 hosts to a single IP address ie
> 10.52.1.1
>
> This means that hosts on the 10.68.0.0 [IPSEC_B] side see traffic coming
> from 10.52.1.1 only and not from any 10.41.0.0 address range on the
> IPSEC_A side. I understand this also means that hosts from IPSEC_B
>
> Is this something that can be added into /etc/ipsec.conf or do I need to
> do some trickery with iptables. Something like
> iptables -t nat -A prerouting -d 10.68.0.0/24 -j NETMAP to 10.52.1.1
I hope I understand you correctly.
I think it'd be easy enough to NAT the traffic moving from the left to
the right. On the right, you could do:
-A POSTROUTING -s 10.41.0.0/24 -o ethX -j SNAT --to-source 10.52.1.1
However, since the left is now essentially behind a NAT, the right
cannot talk to the left without the left starting the conversation.
Why do you need such a strange setup (with the NAT)?
Willie
More information about the Users
mailing list