[Openswan Users] Openswan NAT private IP
Mario Verhaeg
m.verhaeg at opentsp.com
Wed Dec 29 02:57:17 EST 2010
Hi there,
For an external service we are required to setup an Ipsec VPN tunnel that hides our private IP address. This is because the service has got many customers connecting to it which creates the problem that multiple customers can use the same private ip range, this would cause routing problems. I have succesfully setup a test environment without NAT (all addresses and names are for testing purposes, the setup does exists in a isoloted environment):
Windows XP Test station WindowsXP-1
192.168.1.23/24
|
|
|
CentOS 5.5 x86_64 OPENSWAN001
Openswan VPN Site to Site tunnel
ETH0 Support / SSH
ETH1 Public: 123.123.123.1/24
ETH2 Private: 192.168.1.12/24
|
|
|
CentOS 5.5 x86_64 OPENSWAN002
Openswan VPN Site to Site tunnel
ETH0 Public: 123.123.123.2/24
ETH1 Support / SSH
ETH2 Private: 192.168.0.24/24
|
|
|
Windows XP Test station WindowsXP-2
192.168.0.23/24
At this moment I have made the following configuration on both CentOS machines (/etc/ipsec.conf):
conn net-to-net
authby=secret
left=123.123.123.1
leftsubnet=192.168.1.0/24
right=123.123.123.2
rightsubnet=192.168.0.0/24
auto=start
Result is the tunnel is UP:
000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25706s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "net-to-net" esp.3eda20b2 at 123.123.123.1 esp.a0fe3092 at 123.123.123.2 tun.0 at 123.123.123.1 tun.0 at 123.123.123.2 ref=0 refhim=4294901761
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 265s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
And ping packets are encapsulated:
08:51:50.082439 IP 123.123.123.2 > 123.123.123.1: ESP(spi=0x3eda20b2,seq=0x953), length 100
08:51:50.083725 IP 123.123.123.1 > 123.123.123.2: ESP(spi=0xa0fe3092,seq=0x953), length 100
08:51:51.082409 IP 123.123.123.2 > 123.123.123.1: ESP(spi=0x3eda20b2,seq=0x954), length 100
08:51:51.083383 IP 123.123.123.1 > 123.123.123.2: ESP(spi=0xa0fe3092,seq=0x954), length 100
The problem on OPENSWAN002:
Tcpdump -I eth2 host 192.168.1.23
08:52:59.083232 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 35573, length 40
08:53:00.082712 IP 192.168.0.23 > 192.168.1.23: ICMP echo request, id 768, seq 35829, length 40
08:53:00.083285 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 35829, length 40
08:53:01.082772 IP 192.168.0.23 > 192.168.1.23: ICMP echo request, id 768, seq 36085, length 40
08:53:01.083299 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 36085, length 40
08:53:02.082830 IP 192.168.0.23 > 192.168.1.23: ICMP echo request, id 768, seq 36341, length 40
08:53:02.083524 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 36341, length 40
08:53:03.082721 IP 192.168.0.23 > 192.168.1.23: ICMP echo request, id 768, seq 36597, length 40
08:53:03.083306 IP 192.168.1.23 > 192.168.0.23: ICMP echo reply, id 768, seq 36597, length 40
In this case the 192.168.0.23 should be natted to 123.123.123.2.
At this moment this is correct because there is no configuration to support NAT. I have found the following website:
http://wiki.openswan.org/index.php/Openswan/NatTraversal
But this config does not work for me. The tunnel does not get's the chance to setup phase1.
Can anyone supply me with an example for this kind of configuration?
Kind regards,
Mario Verhaeg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101229/749e94f9/attachment-0001.html
More information about the Users
mailing list