[Openswan Users] Routing through tunnel, how?

Nick Howitt n1ck.h0w1tt at gmail.com
Mon Sep 23 09:19:22 UTC 2013


 

Oops, yes I forgot the "-t nat" bit and I had my doubts that it would
work. I'm not sure I can give you a good set up. I do not see how
linking subnets 10.131.x.x and 10.172.x.x will ever allow you to get to
server IP 131.x.x.x. 

On 2013-09-23 09:56, Morten Brix Pedersen wrote: 

> I had to add "-t nat" to that command for it to work. 
> 
> It doesn't do the trick however. 
> 
> 2013/9/23 Nick Howitt <n1ck.h0w1tt at gmail.com>
> 
> How about: 
> 
> iptables -I POSTROUTING -s 172.x.x.x/x -d 131.x.x.x -j SNAT --to-source 10.131.x.x
> You should be able to leave out the "-s 172.x.x.x/x" bit if you want. 
> 
> You will also need a route on your local gateway device to route all traffic to 131.x.x.x via leftsourceip. 
> 
> This may not work because I don't know if the POSTROUTING chain will do anything to packets destined for the VPN. No promises here. 
> 
> Nick 
> 
> On 2013-09-23 08:38, Morten Brix Pedersen wrote: 
> 
> Hi, 
> 
> I have the following setup: 
> 
> Side A (me): 
> Local ip: 172.x.x.x 
> Public ip: z.z.z.z 
> 
> Side B (them): 
> Remote ip: y.y.y.y 
> 
> They have assigned me address 10.131.x.x which I must NAT all traffic through to get to server ip 131.x.x.x. My server only has one network interface (eth0, with address 172.x.x.x) 
> 
> So this is my configuration: 
> 
> conn vpn 
> authby=secret 
> forceencaps=yes 
> auto=start 
> left=%defaultroute 
> leftid=z.z.z.z 
> leftsourceip=z.z.z.z 
> leftsubnet=10.131.x.x/32 
> right=y.y.y.y 
> rightid=y.y.y.y 
> rightsubnet=10.172.x.x/32 
> phase2alg=aes256-sha1 
> pfs=no 
> 
> The VPN tunnel is established: 
> 
> 000 "vpn": 10.131.x.x/32===172.x.x.x[z.z.z.z]...y.y.y.y<y.y.y.y>===10.172.x.x/32; erouted; eroute owner: #3 
> 000 "vpn": myip=z.z.z.z; hisip=unset; 
> 000 "vpn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
> 000 "vpn": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0; 
> 000 "vpn": newest ISAKMP SA: #1; newest IPsec SA: #3; 
> 000 "vpn": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024 
> 000 "vpn": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict 
> 000 "vpn": ESP algorithms loaded: AES(12)_256-SHA1(2)_160 
> 000 "vpn": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<N/A> 
> 000 
> 000 #3: "vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27560s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 
> 000 #3: "vpn" esp.86884638 [4]@y.y.y.y esp.a7324109 at 172.31.2.203 tun.0 at y.y.y.y tun.0 at 172.31.x.x ref=0 refhim=4294901761 
> 000 #1: "vpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2076s; newest ISAKMP; lastdpd=4s(seq in:0 out:0); idle; import:admin initiate 
> 
> Now I must access server ip 131.x.x.x but NAT it through our assigned ip address 1.131.x.x. 
> 
> How can I do that? 
> 
> Thanks. 
> 
> - Morten. 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
 

Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[4] tel:86884638
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130923/aa84f18d/attachment.html>


More information about the Users mailing list