[Openswan Users] Terminating VPN on the NAT gateway
Binand Sethumadhavan
binand at gmx.net
Fri Jun 14 05:12:04 UTC 2013
Thanks for this. I added this pair of rules:
iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A PREROUTING -m policy --pol ipsec --dir in -j ACCEPT
This seems to have rendered obsolete all my other IPSec-related
iptables rules while enabling perfect connectivity across my various
locations connected via openswan installations.
Binand
On 12 June 2013 18:37, Simon Deziel <simon at xelerance.com> wrote:
> On 13-06-12 06:20 AM, Binand Sethumadhavan wrote:
>> On 11 June 2013 17:58, Binand Sethumadhavan <binand at gmx.net> wrote:
>>> I can see in tcpdump that the source IP of packets from BB endpoint to
>>> AA endpoint is set to the WAN-side IP of BB. Why is this so?
>>
>> This now works for me after I added this iptables rule:
>>
>> iptables -t nat -I POSTROUTING -s a.b.c.d -d 10.13.16.0/23 -j SNAT
>> --to-source 192.168.100.1
>>
>> No documentation says such a step is needed. Is there something I am
>> missing elsewhere in my config?
>
> In general, it's best to avoid NAT'ing for all IPsec related traffic. I
> recommend using this one:
>
> iptables -t nat -I POSTROUTING -m policy --dir out --proto esp -j RETURN
>
> Regards,
> Simon
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list