[Openswan Users] Am I actually using NAT?

Paul Wouters paul at xelerance.com
Thu Sep 22 15:31:45 EDT 2011

On Thu, 22 Sep 2011, James Nelson wrote:

> Me again.  Paul, I appreciate your assistance greatly up to this point.  I've simplified my original configuration, but still can't see any
> traffic after the Ipsec SA established tunnel mode is enabled.  I try pinging or hitting servers on the client side from my Amazon EC2 server and
> get silence.  The client side says they can't even see any traffic hitting their firewall, much less passing through it.  
> 1) Assume we have a fresh installation.  From the Amazon end, upon the creation of the server, besides disabling ICMP send and accept redirects
> and enabling ip forwarding, is there anything else that has to be done on the instance?  (ifconfig, port opening, iptables, etc...)  This is
> where my knowledge is weakest, and therefore where I'm most concerned I'm missing something obvious or stupid that any network engineer would
> know.
> 2) After establishing the SA tunnel, what is the best way to test whether or not I can send traffic to the client, and how can I tell if its
> being NAT'ed/going through the correct ports (UDP 500/4500)?  Right now, I've been just trying to ping the client gateway or using elinks to see
> if I can reach the client WSDL addresses for download. 

To ensure you're not NATing your traffic, you can add a rule to a known destination IP you use for testing,
eg iptables -I POSTROUTING -d -j RETURN

> conn ec2check
>         connaddrfamily=ipv4
>         type=tunnel
>         authby=secret
>         ike=3des-md5
>         ikelifetime=86400s
>         phase2=esp
>         phase2alg=3des-md5
>         lifetime=28800s
>         forceencaps=yes
>         pfs=no
>         left=<AMAZON LOCAL IP>
>         leftid=<AMAZON ELASTIC IP>
>         leftnexthop=%defaultroute
>         leftsubnet=

If this connection is happening, the other end will send you ALL their traffic.
Is that really what you want?

> The route I'm trying for is 
> Amazon Local---------------Amazon Elastic===Internet===Client Checkpoint----------Client Internal
> 10.XX.XX.XX                   184.XX.XX.XX                           198.XX.XX.XX                 168.XX.XX.XX/XX

I think you really want to say leftsubnet=<AMAZON ELASTIC IP>
Then you probaly need to configure that IP locally, and add a route like
  ip route add 168.XX.XX.XX/XX via yourgw src <AMAZON ELASTIC IP>


More information about the Users mailing list