[Openswan Users] Source NATTING IPSEC traffic

Duane Mulder duanemulder at rattyshack.ca
Sat Aug 21 20:58:35 EDT 2010

Thanks Willie:

I was thinking that might be the solution, I was hoping that maybe there
was some option within /etc/ipsec.conf that I could set instead.
(virtual_networks ??)  It is an unusual setup. At the remote site the IT
policy there is that all untrusted remote networks need to come from the
same 10.52.x.x network space. So they assigned us  single allowed
ipaddress within that space ie The problem is that we do not
use we are 10.41.x.x/16. hence the need for the NAT.

You are correct in that this is also a one way tunnel. We can see them
but they cannot connect to hosts on our network.


Willie Gillespie wrote:
> Duane Mulder wrote:
>> Hello All
>> So I am looking to change the source IP address of traffic that is
>> destined to go through an IPSEC tunnel.
>> -------[IPSECA]===================[IPSEC_B]------
>> What  I need to do is SNAT the hosts to a single IP address ie
>> This means that hosts on the [IPSEC_B] side see traffic coming
>> from only and not from any address range on the
>> IPSEC_A side. I understand this also means that hosts from IPSEC_B
>> Is this something that can be added into /etc/ipsec.conf or do I need to
>> do some trickery with iptables. Something like
>> iptables -t nat -A prerouting -d -j NETMAP to
> I hope I understand you correctly.
> I think it'd be easy enough to NAT the traffic moving from the left to
> the right.  On the right, you could do:
> -A POSTROUTING -s -o ethX -j SNAT --to-source
> However, since the left is now essentially behind a NAT, the right
> cannot talk to the left without the left starting the conversation.
> Why do you need such a strange setup (with the NAT)?
> Willie

More information about the Users mailing list