[Openswan Users] Am I actually using NAT?

SaRaVanAn saravanan.nagarajan87 at gmail.com
Thu Sep 22 13:15:23 EDT 2011

 You need to do SNAT at your gateway(Amazon Elastic) in order to go through
tunnel.. I also faced the same issue. The things were working fine after I
have done Natting at gateways.

 Since the tunnel is formed between 2 public IP's , the packet coming with
private source IP will not match Security policy database in Kernel.

Please correct if I am wrong.


On Thu, Sep 22, 2011 at 9:47 PM, James Nelson <james.nelson.ii at gmail.com>wrote:

> Me again.  Paul, I appreciate your assistance greatly up to this point.
>  I've simplified my original configuration, but still can't see any traffic
> after the Ipsec SA established tunnel mode is enabled.  I try pinging or
> hitting servers on the client side from my Amazon EC2 server and get
> silence.  The client side says they can't even see any traffic hitting their
> firewall, much less passing through it.
> 1) Assume we have a fresh installation.  From the Amazon end, upon the
> creation of the server, besides disabling ICMP send and accept redirects and
> enabling ip forwarding, is there anything else that has to be done on the
> instance?  (ifconfig, port opening, iptables, etc...)  This is where my
> knowledge is weakest, and therefore where I'm most concerned I'm missing
> something obvious or stupid that any network engineer would know.
> 2) After establishing the SA tunnel, what is the best way to test whether
> or not I can send traffic to the client, and how can I tell if its being
> NAT'ed/going through the correct ports (UDP 500/4500)?  Right now, I've been
> just trying to ping the client gateway or using elinks to see if I can reach
> the client WSDL addresses for download.
> My .conf:
> config setup
>         nat_traversal=yes
>         # exclude networks used on server side by adding %v4:!a.b.c.0/24
>         virtual_private=%4:
>         oe=off
>         # which IPsec stack to use. netkey,klips,mast,auto or none
>         protostack=netkey
>         #testing
>         interfaces=%defaultroute
> conn ec2check
>         connaddrfamily=ipv4
>         type=tunnel
>         authby=secret
>         ike=3des-md5
>         ikelifetime=86400s
>         phase2=esp
>         phase2alg=3des-md5
>         lifetime=28800s
>         forceencaps=yes
>         pfs=no
>         left=<AMAZON LOCAL IP>
>         leftid=<AMAZON ELASTIC IP>
>         leftnexthop=%defaultroute
>         leftsubnet=
>         rightsubnet=<CLIENT INTERNAL NETWORK>
>         auto=add
> *     *     *
> The route I'm trying for is
> Amazon Local---------------Amazon Elastic===Internet===Client
> Checkpoint----------Client Internal
> 10.XX.XX.XX                   184.XX.XX.XX
> 198.XX.XX.XX                 168.XX.XX.XX/XX
> -- James
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110922/ac59242c/attachment.html 

More information about the Users mailing list