[Openswan Users] Other side needs different IP / netkey

Tiago Durante tiagodurante at gmail.com
Thu Mar 4 14:06:05 EST 2010


Hi guys,

Thanks for the reply.

Paul, by renumbering you mean really change my networks IP? I don't
think I can do that.

I set a machine behind the FW to SNAT traffic from 192.168.1.0/24 to
10.2.2.0/24. So I've this:

not_firewall# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d
10.1.1.0/24 -j SNAT --to 10.2.2.254

And if I ping from this machine I've no reply. However looking at the
FW I can see that the traffic is being sent to the tunnel and its
sending me a reply, check:

FW# tcpdump -n -i eth1 host THEIR_IP
15:34:12.130006 IP MY_IP > THEIR_IP: ESP(spi=0x30894c8f,seq=0x37a), length 116
15:34:12.366033 IP THEIR_IP > MY_IP: ESP(spi=0xbef6cd6d,seq=0x37a), length 116
15:34:13.138215 IP MY_IP > THEIR_IP: ESP(spi=0x30894c8f,seq=0x37b), length 116
15:34:13.374256 IP THEIR_IP > MY_IP: ESP(spi=0xbef6cd6d,seq=0x37b), length 116
15:34:14.146407 IP MY_IP > THEIR_IP: ESP(spi=0x30894c8f,seq=0x37c), length 116
15:34:14.382527 IP THEIR_IP > MY_IP: ESP(spi=0xbef6cd6d,seq=0x37c), length 116


Any tip? I'm really stuck with this tunnel... It was so much easier
when I had the ipsecX interface, can't understand why it's gonne :(


Thank you very much guys!

Regards,

Tiago



On Thu, Mar 4, 2010 at 3:45 AM, Tuomo Soini <tis at foobar.fi> wrote:
>> You really just want to renumber. really. Trust me.
>
> And because you don't want to renumber again don't renumber to
> 10.2.2.0/24. Use something like this bash command to generate your new
> network:
>
> echo 10.$(( $RANDOM % 256 )).$(( $RANDOM % 256 )).0/24
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <http://foobar.fi/>
>



-- 
Tiago Durante

,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,
Perseverance is the hard work you do after you
get tired of doing the hard work you already did.
-- Newt Gingrich


More information about the Users mailing list