[Openswan Users] Ipsec and NAT ?

[Nicolas Ross]

Hi all !

I curently have a net-to-net ipsec connection between our server room and 
another remote site, also using openswan.

Our router curently has a public IP. And the config looks like :

conn tunnelcybos
        left=216.x.x.x
        leftsubnet=192.168.20.0/24
        leftnexthop=216.x.x.x
        leftid=@localhostname
        leftrsasigkey=...
        right=207.x.x.x
        rightsubnet=192.168.1.0/24
        rightnexthop=207.x.x.x
        rightid=@remotehostname
        rightrsasigkey=...
        auto=start

We will be remaking our setup completly redundant and will have 2 server 
room in separate locations. Both server rooms will be linked up with a 
private lan-extension that will be on a private subnet (192.168.120.x).

Our routers in both rooms will face the internet on that private subnet, so 
our ISP's provided gateway will be in that subnet. Out ip net blocks will be 
routed to our router at those private ips. I will have one ip in our routed 
blocks that will be nated internally to the router itself via iptables.

I was woundering how to setup my connection in this new setup, since our 
gateway won't be publicly routable. I can and will know the public ip part 
of my facing router, so I beleive I should put that IP in the leftnexthop 
part. So then do I put that nated ip in the left part ?