[Openswan Users] Terminating VPN on the NAT gateway

Binand Sethumadhavan binand at gmx.net
Fri Jun 14 05:12:04 UTC 2013

Thanks for this. I added this pair of rules:

iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A PREROUTING  -m policy --pol ipsec --dir in -j ACCEPT

This seems to have rendered obsolete all my other IPSec-related
iptables rules while enabling perfect connectivity across my various
locations connected via openswan installations.


On 12 June 2013 18:37, Simon Deziel <simon at xelerance.com> wrote:
> On 13-06-12 06:20 AM, Binand Sethumadhavan wrote:
>> On 11 June 2013 17:58, Binand Sethumadhavan <binand at gmx.net> wrote:
>>> I can see in tcpdump that the source IP of packets from BB endpoint to
>>> AA endpoint is set to the WAN-side IP of BB. Why is this so?
>> This now works for me after I added this iptables rule:
>> iptables -t nat -I POSTROUTING -s a.b.c.d -d -j SNAT
>> --to-source
>> No documentation says such a step is needed. Is there something I am
>> missing elsewhere in my config?
> In general, it's best to avoid NAT'ing for all IPsec related traffic. I
> recommend using this one:
> iptables -t nat -I POSTROUTING -m policy --dir out --proto esp -j RETURN
> Regards,
> Simon
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list