[Openswan Users] Source NATTING IPSEC traffic

Willie Gillespie wgillespie+openswan at es2eng.com
Fri Aug 20 16:42:17 EDT 2010

Duane Mulder wrote:
> Hello All
> So I am looking to change the source IP address of traffic that is
> destined to go through an IPSEC tunnel.
> -------[IPSECA]===================[IPSEC_B]------
> What  I need to do is SNAT the hosts to a single IP address ie
> This means that hosts on the [IPSEC_B] side see traffic coming
> from only and not from any address range on the
> IPSEC_A side. I understand this also means that hosts from IPSEC_B
> Is this something that can be added into /etc/ipsec.conf or do I need to
> do some trickery with iptables. Something like
> iptables -t nat -A prerouting -d -j NETMAP to

I hope I understand you correctly.
I think it'd be easy enough to NAT the traffic moving from the left to 
the right.  On the right, you could do:
-A POSTROUTING -s -o ethX -j SNAT --to-source

However, since the left is now essentially behind a NAT, the right 
cannot talk to the left without the left starting the conversation.

Why do you need such a strange setup (with the NAT)?


More information about the Users mailing list