[Openswan Users] Other side needs different IP / netkey

Paul Wouters paul at xelerance.com
Wed Mar 3 23:23:52 EST 2010

On Wed, 3 Mar 2010, Tiago Durante wrote:

> I've tried a lot of stuff, but I still can't make a NAT inside the
> tunnel with NETKEY.
> Let me explain. I've a network A= I need to establish a
> tunnel with a firewall that has the network B= Till here
> everything is fine, the tunnel is up and running.
> The problem is that the other firewall needs my network A to be
> A=, because he already has a network on his
> firewall.
> How can I make it work? :(

Renumering is REALLY the easiest answer. If you really cannot do that,
and sit down somewhere for 15 minutes and really think hard about this,
then you can hack around it.

I recommend using a different machine (or VM) for the NAT. That way,
the IPsec and NAT won't bite, because as far as openswan is concerned
there is only You need to use an SNAT rule that's only
triggered when you go to

If you also need to access the remote from your
then I suggest a big bottle of vodka, and tell your boss you have to renumber
despite that being impossible. Only if your job is on the line, add another
DNAT for => But then all rules have to become
interface specific (your nat box does have two (virtual) nic's right) because
otherwise they will clash. You will also have to combine these rules above to
work properly, and I don't even want to think about this more deeply without
getting paid ridicilous amounts of money.

You really just want to renumber. really. Trust me.


More information about the Users mailing list