[Openswan Users] Source NATTING IPSEC traffic

Willie Gillespie wgillespie+openswan at es2eng.com
Fri Aug 20 16:42:17 EDT 2010


Duane Mulder wrote:
> Hello All
> So I am looking to change the source IP address of traffic that is
> destined to go through an IPSEC tunnel.
> 
> 10.41.0.0 -------[IPSECA]===================[IPSEC_B]------10.68.0.0
> 
> What  I need to do is SNAT the 10.42.0.0 hosts to a single IP address ie
> 10.52.1.1
> 
> This means that hosts on the 10.68.0.0 [IPSEC_B] side see traffic coming
> from 10.52.1.1 only and not from any 10.41.0.0 address range on the
> IPSEC_A side. I understand this also means that hosts from IPSEC_B
> 
> Is this something that can be added into /etc/ipsec.conf or do I need to
> do some trickery with iptables. Something like
> iptables -t nat -A prerouting -d 10.68.0.0/24 -j NETMAP to 10.52.1.1

I hope I understand you correctly.
I think it'd be easy enough to NAT the traffic moving from the left to 
the right.  On the right, you could do:
-A POSTROUTING -s 10.41.0.0/24 -o ethX -j SNAT --to-source 10.52.1.1

However, since the left is now essentially behind a NAT, the right 
cannot talk to the left without the left starting the conversation.

Why do you need such a strange setup (with the NAT)?

Willie


More information about the Users mailing list