[Openswan Users] change to NAT rules so pulic IP address of openswan boxes accessible from remote LAN?

Paul Wouters paul at xelerance.com
Mon Jan 10 21:02:46 EST 2011

On Mon, 10 Jan 2011, M B wrote:

> i have the following setup:
>    LAN-WC-------------OpenSwan----------INTERNET------------OpenSwan------------LAN-EC
> 192.168.0.X                                                                                          192.168.10.X
> currently im unable to ping either of the public ip addresses on the openswan VPN boxes (both have public IPs) from the
> remote LAN.  looks like this is due to the openswan box
> also being the default gateway for the respective LAN clients therefore the LAN source IPs are not being NAT'd resulting
> in an unroutable source IP address
> arriving at the public interface of the other openswan box.  how can i fix this on the openswan boxes?  can i force
> traffic from each local LAN to the public
> IP of the other sides openswan system to be NAT'd?  thx-

the public ip is not part of the subnet-subnet tunnel that only covers internal IPs.
You will need to add an ipsec tunnel for subnet-publicip for each end.

If you want the gateways themselves to acces the remote lan with the internal ips,
you can use leftsourceip/rightsourceip set to their internal IP.


More information about the Users mailing list