[Openswan Users] Am I actually using NAT?

Thu Sep 22 13:15:23 EDT 2011

James,
 You need to do SNAT at your gateway(Amazon Elastic) in order to go through
tunnel.. I also faced the same issue. The things were working fine after I
have done Natting at gateways.

Reason
 Since the tunnel is formed between 2 public IP's , the packet coming with
private source IP will not match Security policy database in Kernel.

@Experts
Please correct if I am wrong.

-Saravanan

On Thu, Sep 22, 2011 at 9:47 PM, James Nelson <james.nelson.ii at gmail.com>wrote:

> Me again.  Paul, I appreciate your assistance greatly up to this point.
>  I've simplified my original configuration, but still can't see any traffic
> after the Ipsec SA established tunnel mode is enabled.  I try pinging or
> hitting servers on the client side from my Amazon EC2 server and get
> silence.  The client side says they can't even see any traffic hitting their
> firewall, much less passing through it.
>
> 1) Assume we have a fresh installation.  From the Amazon end, upon the
> creation of the server, besides disabling ICMP send and accept redirects and
> enabling ip forwarding, is there anything else that has to be done on the
> instance?  (ifconfig, port opening, iptables, etc...)  This is where my
> knowledge is weakest, and therefore where I'm most concerned I'm missing
> something obvious or stupid that any network engineer would know.
>
> 2) After establishing the SA tunnel, what is the best way to test whether
> or not I can send traffic to the client, and how can I tell if its being
> NAT'ed/going through the correct ports (UDP 500/4500)?  Right now, I've been
> just trying to ping the client gateway or using elinks to see if I can reach
> the client WSDL addresses for download.
>
> My .conf:
>
> config setup
>         nat_traversal=yes
>         # exclude networks used on server side by adding %v4:!a.b.c.0/24
>         virtual_private=%4:
> 168.94.151.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16
>         oe=off
>         # which IPsec stack to use. netkey,klips,mast,auto or none
>         protostack=netkey
>         #testing
>         interfaces=%defaultroute
>
> conn ec2check
>         connaddrfamily=ipv4
>         type=tunnel
>         authby=secret
>         ike=3des-md5
>         ikelifetime=86400s
>         phase2=esp
>         phase2alg=3des-md5
>         lifetime=28800s
>         forceencaps=yes
>         pfs=no
>         left=<AMAZON LOCAL IP>
>         leftid=<AMAZON ELASTIC IP>
>         leftnexthop=%defaultroute
>         leftsubnet=0.0.0.0/0
>         right=<CLIENT CHECKPOINT GATEWAY>
>         rightid=<CLIENT CHECKPOINT GATEWAY>
>         rightsubnet=<CLIENT INTERNAL NETWORK>
>         auto=add
>
> *     *     *
>
> The route I'm trying for is
> Amazon Local---------------Amazon Elastic===Internet===Client
> Checkpoint----------Client Internal
> 10.XX.XX.XX                   184.XX.XX.XX
> 198.XX.XX.XX                 168.XX.XX.XX/XX
>
> -- James
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110922/ac59242c/attachment.html 