[Openswan Users] Am I actually using NAT?
saravanan.nagarajan87 at gmail.com
Thu Sep 22 13:15:23 EDT 2011
You need to do SNAT at your gateway(Amazon Elastic) in order to go through
tunnel.. I also faced the same issue. The things were working fine after I
have done Natting at gateways.
Since the tunnel is formed between 2 public IP's , the packet coming with
private source IP will not match Security policy database in Kernel.
Please correct if I am wrong.
On Thu, Sep 22, 2011 at 9:47 PM, James Nelson <james.nelson.ii at gmail.com>wrote:
> Me again. Paul, I appreciate your assistance greatly up to this point.
> I've simplified my original configuration, but still can't see any traffic
> after the Ipsec SA established tunnel mode is enabled. I try pinging or
> hitting servers on the client side from my Amazon EC2 server and get
> silence. The client side says they can't even see any traffic hitting their
> firewall, much less passing through it.
> 1) Assume we have a fresh installation. From the Amazon end, upon the
> creation of the server, besides disabling ICMP send and accept redirects and
> enabling ip forwarding, is there anything else that has to be done on the
> instance? (ifconfig, port opening, iptables, etc...) This is where my
> knowledge is weakest, and therefore where I'm most concerned I'm missing
> something obvious or stupid that any network engineer would know.
> 2) After establishing the SA tunnel, what is the best way to test whether
> or not I can send traffic to the client, and how can I tell if its being
> NAT'ed/going through the correct ports (UDP 500/4500)? Right now, I've been
> just trying to ping the client gateway or using elinks to see if I can reach
> the client WSDL addresses for download.
> My .conf:
> config setup
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
> # which IPsec stack to use. netkey,klips,mast,auto or none
> conn ec2check
> left=<AMAZON LOCAL IP>
> leftid=<AMAZON ELASTIC IP>
> right=<CLIENT CHECKPOINT GATEWAY>
> rightid=<CLIENT CHECKPOINT GATEWAY>
> rightsubnet=<CLIENT INTERNAL NETWORK>
> * * *
> The route I'm trying for is
> Amazon Local---------------Amazon Elastic===Internet===Client
> Checkpoint----------Client Internal
> 10.XX.XX.XX 184.XX.XX.XX
> 198.XX.XX.XX 168.XX.XX.XX/XX
> -- James
> Users at openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users