[Openswan Users] openswan and NAT

Neal Murphy neal.p.murphy at alum.wpi.edu
Mon Aug 5 17:14:35 UTC 2013

> I need to setup a tunnel where I have been given a certain source address
> that my clients must come from. So I need to some how NAT my clients
> source address before entering the tunnel. I'm using amazon linux 3.4.37
> with openswan-2.6.37-2.15.
> I have tried using iptables but to source nat I had to use the POSTROUTING
> chain which means the packets are already encrypted. I attempted to use
> the PREROUTING chain but discovered SNAT is not allowed on the PREROUTING
> chain.

Correct. You DNAT the packet when it arrives; you SNAT the packet when it 

If you can use it, the KLIPs module should allow you to capture packets as 
they arrive unencrypted; it uses a separate ipsecN IF for the tunnel.

More information about the Users mailing list