[Openswan Users] network changes - static NAT to private IP, what now?

Neal Murphy neal.p.murphy at alum.wpi.edu
Fri May 17 21:11:01 UTC 2013

On Friday, May 17, 2013 03:55:26 PM Patrick Naubert wrote:
> Rescued from the Spam bucket.  Please remember to subscribe to the mailing
> list before posting to it.
> From: "Sven J. van Rooij" <sven at vee-r.com>
> Subject: network changes - static NAT to private IP, what now?
> Date: 17 May, 2013 2:53:30 PM EDT
> To: "users at openswan.org" <users at openswan.org>
> Hello all…
> We are “upgrading” our network and are getting dual T1 lines. However,
> besides new IPs, the provider also has us on a firewalled network with
> private IPs now (10.16.x.x) Other than that, nothing changes and I would
> like to keep the current setup in place as is.
> I already requested to have the IP for our Clark connect firewall NATd, so
> I do have one static public IP with static 1-1 NAT for it.
> Looking at my tunnel definition files though, I wonder, what do I use for
> my left and leftnexthop and what do I tell my partner networks to use on
> the other end of the tunnel.
> Do I use both my private IPs or do I use the public (NATd IP) as my left
> and the leftnexthop is my private IP gateway?
> Can one do that? Or do I need another NATd public IP for my gateway address
> as well?
> What info does the other side use? Public IP for the endpoint and private
> IP for the next hop??
> Any advice will be highly appreciated.
> Sven

Summary: both IPSEC endpoints can be NATted as long as the IPSEC ports are 
forwarded into one of them. The end that does not receive the forwarded ports 
must initiate the conn; the other end can only respond.

In my modernization efforts with Smoothwall (and hacking its scripts), I found 
that forwarding ports 500 and 4500 across the outer firewall to the internal 
firewall/router that runs the IPSEC gateway works very well. I added 
smoothie's RED (internet) address as the '*sourceip' as needed.

An example might help. Given a NATted openswan on the left and a non-NATted 
IPSEC on the right:
  - Left has (internal LAN), on
   (internet LAN), and (perimeter F/W public address).
  - Right has (internal LAN) and (public address).

The salient parts of the .conf are:

By adding rightsourceip as appropriate, I was able to let a remote Sonicwall 
(on a private LAN behind a perimeter F/W) connect to my Smoothwall behind my 
own perimeter F/W that forwarded ports 500 and 4500 to my inner smoothie.

Caveat: if you cannot change the perimeter F/W to forward the IPSEC ports, 
then your NATted system must initiate the conn. That is, the remote should be 
set to 'auto=add' because it can never initiate the VPN--it can only respond.


More information about the Users mailing list