[Openswan Users] Connexion from OpenSwan to a Cisco gateway

Mon Sep 21 04:18:41 EDT 2015

Well ,
try this command line instead of yours

iptables -t nat -A POSTROUTING -d W.X.Y.Z -o YourNetworkAdapterName -j 
MASQUERADE

after that , you dont need to warry about your dynamtic Ip address at all.

On 09/20/2015 05:55 PM, Daniel Cave wrote:
> Sorry Olivier. I meant to refer to the dynamic ip. I think you'll know what I meant
>
> Sent from my iPhone
>
>> On 20 Sep 2015, at 08:55, Olivier Thomas <othomas at webtyss.com> wrote:
>>
>> Hi,
>>
>> I want to connect to a Cisco VPN gateway located at my customer by using Openswan.
>> My customer gave me credentials with a PCF file which is for a client to site VPN configuration. It was not possible to get site to site config.
>>  From a windows host with the Cisco Client, it works. Then I successfully installed Openswan on my linux box which acts as a router/NAT gateway for my other machines behind. I converted the PCF file to an openswan configuration file and I succesfully established IPSec connexion from openswan.
>> The command "ipsec look" shows me the dynamically assigned IP address received from the Cisco gateway and the routes pushed by the Cisco gateway.
>>
>> However I have two problems :
>> - If I try to connect from my Openswan machine to one of the authorized servers behind the Cisco gateway (ex: telnet or wget, whatever protocol...), it does't work. the command "ip xfrm monitor" doesn't display any packet going through the tunnel. I suspect I may need to add some iptable rules but it seems stange for me because if I do the parallel with Windows Cisco VPN client, it works immediately and I can reach machines behind the Cisco gateway.
>> - I also would like to connect from my hosts behind my Linux Openswan to the other machines behing the Cisco gateway by doing some kind of NAT or masquerading of their source IP addresses. First it doesn't work, but if I add on the Openswan box an iptable rule like "iptables -t nat -A POSTROUTING -d W.X.Y.Z -j SNAT --to A.B.C.D "  , where W.X.Y.Z stands for the server I try to reach and A.B.C.D stands for the dynamic address assigned by the Cisco gateway, then it works !!! But the problem is that A.B.C.D is dynamic so it may change and I don't want to have to change this rule manually all the time...
>>
>> Maybe something is wrong with my ipsec.conf or I miss an option...here it is :
>>
>> conn myconf
>>       ike=3des-md5-modp1024
>>       aggrmode=yes
>>       authby=secret
>>       left=%defaultroute
>>       leftid=@myself
>>       leftxauthclient=yes
>>       leftxauthusername=mylogin
>>       leftmodecfgclient=yes
>>       right=H.I.J.K
>>       rightxauthserver=yes
>>       rightmodecfgserver=yes
>>       pfs=no
>>       auto=start
>>       remote_peer_type=cisco
>>
>> ipsec.secrets
>>       @myself H.I.J.K : PSK "aaaaaaaaaaa"
>>       @mylogin : XAUTH "bbbbbbbbb"
>>
>>
>> Thanks for your support !
>> O.
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150921/0d1f69a7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gbcbooksmj.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150921/0d1f69a7/attachment.vcf>