[Openswan Users] change to NAT rules so pulic IP address of openswan boxes accessible from remote LAN?

Paul Wouters paul at xelerance.com
Mon Jan 10 23:10:54 EST 2011


On Mon, 10 Jan 2011, M B wrote:

> ok.. so, if the public IP address is not part of the tunnel why are the openswan boxes sending packets to the pub IPs across the tunnel? 

It is part of the tunnel, but not in a regular way.

> here's my connection for the subnet-subnet tunnel:
> 
> conn LANWC-TO-LANEC
>   authby=secret
>   left=69.105.X.X
>   leftsubnet=192.168.0.0/24
>   leftnexthop=%defaultroute
>   right=173.12.X.X
>   rightsubnet=192.168.10.0/24
>   rightnexthop=%defaultroute
>   auto=start

if your openswan box does not have either 69.105.X.X or 173.12.X.X configured on the box
itself, this will not work. You need to define your end by its local ip.

> what would i need to add to setup the subnet-public IP connection?  something like:
> 
> conn LANWC-TO-ECPUB
>   authby=secret
>   left=69.105.X.X
>   leftsubnet=192.168.0.0/24
>   leftnexthop=%defaultroute
>   right=172.12.X.X
>   rightsubnet=172.12.X.X/29

If you need the /29 then yes. If you just need the one IP, and it is the same as right
itself, you can just leave out rightsubnet=

Paul


More information about the Users mailing list