[Openswan Users] Source NATTING IPSEC traffic

Duane Mulder duanemulder at rattyshack.ca
Sat Aug 21 20:58:35 EDT 2010


Thanks Willie:

I was thinking that might be the solution, I was hoping that maybe there
was some option within /etc/ipsec.conf that I could set instead.
(virtual_networks ??)  It is an unusual setup. At the remote site the IT
policy there is that all untrusted remote networks need to come from the
same 10.52.x.x network space. So they assigned us  single allowed
ipaddress within that space ie 10.52.1.1. The problem is that we do not
use 10.52.1.1 we are 10.41.x.x/16. hence the need for the NAT.

You are correct in that this is also a one way tunnel. We can see them
but they cannot connect to hosts on our network.

Regards,
Duane

Willie Gillespie wrote:
> Duane Mulder wrote:
>> Hello All
>> So I am looking to change the source IP address of traffic that is
>> destined to go through an IPSEC tunnel.
>>
>> 10.41.0.0 -------[IPSECA]===================[IPSEC_B]------10.68.0.0
>>
>> What  I need to do is SNAT the 10.42.0.0 hosts to a single IP address ie
>> 10.52.1.1
>>
>> This means that hosts on the 10.68.0.0 [IPSEC_B] side see traffic coming
>> from 10.52.1.1 only and not from any 10.41.0.0 address range on the
>> IPSEC_A side. I understand this also means that hosts from IPSEC_B
>>
>> Is this something that can be added into /etc/ipsec.conf or do I need to
>> do some trickery with iptables. Something like
>> iptables -t nat -A prerouting -d 10.68.0.0/24 -j NETMAP to 10.52.1.1
>
> I hope I understand you correctly.
> I think it'd be easy enough to NAT the traffic moving from the left to
> the right.  On the right, you could do:
> -A POSTROUTING -s 10.41.0.0/24 -o ethX -j SNAT --to-source 10.52.1.1
>
> However, since the left is now essentially behind a NAT, the right
> cannot talk to the left without the left starting the conversation.
>
> Why do you need such a strange setup (with the NAT)?
>
> Willie



More information about the Users mailing list