[Openswan Users] change to NAT rules so pulic IP address of openswan boxes accessible from remote LAN?
M B
sf1882 at gmail.com
Mon Jan 10 21:50:30 EST 2011
ok.. so, if the public IP address is not part of the tunnel why are the
openswan boxes sending packets to the pub IPs across the tunnel?
here's my connection for the subnet-subnet tunnel:
conn LANWC-TO-LANEC
authby=secret
left=69.105.X.X
leftsubnet=192.168.0.0/24
leftnexthop=%defaultroute
right=173.12.X.X
rightsubnet=192.168.10.0/24
rightnexthop=%defaultroute
auto=start
what would i need to add to setup the subnet-public IP connection?
something like:
conn LANWC-TO-ECPUB
authby=secret
left=69.105.X.X
leftsubnet=192.168.0.0/24
leftnexthop=%defaultroute
right=172.12.X.X
rightsubnet=172.12.X.X/29
rightnexthop=%defaultroute
auto=start
thanks!
6:02 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Mon, 10 Jan 2011, M B wrote:
>
> i have the following setup:
>>
>>
>> LAN-WC-------------OpenSwan----------INTERNET------------OpenSwan------------LAN-EC
>> 192.168.0.X
>> 192.168.10.X
>>
>> currently im unable to ping either of the public ip addresses on the
>> openswan VPN boxes (both have public IPs) from the
>> remote LAN. looks like this is due to the openswan box
>> also being the default gateway for the respective LAN clients therefore
>> the LAN source IPs are not being NAT'd resulting
>> in an unroutable source IP address
>> arriving at the public interface of the other openswan box. how can i fix
>> this on the openswan boxes? can i force
>> traffic from each local LAN to the public
>> IP of the other sides openswan system to be NAT'd? thx-
>>
>
> the public ip is not part of the subnet-subnet tunnel that only covers
> internal IPs.
> You will need to add an ipsec tunnel for subnet-publicip for each end.
>
> If you want the gateways themselves to acces the remote lan with the
> internal ips,
> you can use leftsourceip/rightsourceip set to their internal IP.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110110/561d68ca/attachment.html
More information about the Users
mailing list