[Openswan Users] Terminating VPN on the NAT gateway
Binand Sethumadhavan
binand at gmx.net
Tue Jun 11 12:28:53 UTC 2013
I have an Openswan VPN between locations A and B.
At A, Openswan is running on a CentOS 6 box behind a NAT gateway (called AA).
At B, Openswan is running on a CentOS 6 box which is also the NAT
gateway (called BB).
Most things are fine with the tunnel, as below:
- Every machine in the LAN of AA can reach every machine in the LAN behind BB.
- Every machine in the LAN behind BB can reach every machine in the LAN of AA.
- AA itself can reach every machine in the LAN behind BB.
- AA can reach BB directly too.
- BB cannot reach any machine in the LAN of AA
- BB cannot reach AA directly either.
When I do a tcpdump on BB, I can see that packets for AA go out with
the WAN IP of BB as source, onto the public Internet.
Config on AA:
conn BB
left=10.13.16.217
leftid=10.13.16.217
leftsourceip=10.13.16.217
leftsubnet=10.13.16.0/23
right=a.b.c.d
rightid=a.b.c.d
rightsourceip=192.168.100.1
rightsubnets="192.168.100.0/24 192.168.101.0/24"
type=tunnel
authby=secret
auto=start
ike=aes-sha1;modp1024
phase2=esp
phase2alg=aes-sha1;modp1024
aggrmode=no
Config on BB:
conn AA
left=a.b.c.d
leftid=a.b.c.d
leftnexthop=a.b.c.d-1
leftsourceip=192.168.100.1
leftsubnets="192.168.100.0/24 192.168.101.0/24"
right=x.y.z.t # This IP has a static mapping to 10.13.16.217
on the edge firewall
rightid=10.13.16.217
rightsourceip=10.13.16.217
rightsubnet=10.13.16.0/23
type=tunnel
authby=secret
auto=start
ike=aes-sha1;modp1024
phase2=esp
phase2alg=aes-sha1;modp1024
aggrmode=no
I can see in tcpdump that the source IP of packets from BB endpoint to
AA endpoint is set to the WAN-side IP of BB. Why is this so?
Binand
More information about the Users
mailing list