[Openswan Users] network changes - static NAT to private IP, what now?
neal.p.murphy at alum.wpi.edu
Fri May 17 21:11:01 UTC 2013
On Friday, May 17, 2013 03:55:26 PM Patrick Naubert wrote:
> Rescued from the Spam bucket. Please remember to subscribe to the mailing
> list before posting to it.
> From: "Sven J. van Rooij" <sven at vee-r.com>
> Subject: network changes - static NAT to private IP, what now?
> Date: 17 May, 2013 2:53:30 PM EDT
> To: "users at openswan.org" <users at openswan.org>
> Hello all…
> We are “upgrading” our network and are getting dual T1 lines. However,
> besides new IPs, the provider also has us on a firewalled network with
> private IPs now (10.16.x.x) Other than that, nothing changes and I would
> like to keep the current setup in place as is.
> I already requested to have the IP for our Clark connect firewall NATd, so
> I do have one static public IP with static 1-1 NAT for it.
> Looking at my tunnel definition files though, I wonder, what do I use for
> my left and leftnexthop and what do I tell my partner networks to use on
> the other end of the tunnel.
> Do I use both my private IPs or do I use the public (NATd IP) as my left
> and the leftnexthop is my private IP gateway?
> Can one do that? Or do I need another NATd public IP for my gateway address
> as well?
> What info does the other side use? Public IP for the endpoint and private
> IP for the next hop??
> Any advice will be highly appreciated.
Summary: both IPSEC endpoints can be NATted as long as the IPSEC ports are
forwarded into one of them. The end that does not receive the forwarded ports
must initiate the conn; the other end can only respond.
In my modernization efforts with Smoothwall (and hacking its scripts), I found
that forwarding ports 500 and 4500 across the outer firewall to the internal
firewall/router that runs the IPSEC gateway works very well. I added
smoothie's RED (internet) address as the '*sourceip' as needed.
An example might help. Given a NATted openswan on the left and a non-NATted
IPSEC on the right:
- Left has 10.1.1.0/24 (internal LAN), 10.111.111.1 on 10.111.111.0/24
(internet LAN), and 127.111.111.254 (perimeter F/W public address).
- Right has 10.2.2.0/24 (internal LAN) and 127.222.222.1 (public address).
The salient parts of the .conf are:
By adding rightsourceip as appropriate, I was able to let a remote Sonicwall
(on a private LAN behind a perimeter F/W) connect to my Smoothwall behind my
own perimeter F/W that forwarded ports 500 and 4500 to my inner smoothie.
Caveat: if you cannot change the perimeter F/W to forward the IPSEC ports,
then your NATted system must initiate the conn. That is, the remote should be
set to 'auto=add' because it can never initiate the VPN--it can only respond.
More information about the Users