> -----Original Message----- > From: John A. Sullivan III [mailto:john.sullivan@xxxxxxxxxxxxx] > Sent: Tuesday, November 02, 2004 8:09 AM > To: Christopher Lyon > Cc: Netfilter users list > Subject: Re: NAT issues on a VPN tunnel > > On Tue, 2004-11-02 at 10:40, Chris Lyon wrote: > > So, I am trying to use NAT to solve the problem below because of an IP > > addressing conflict issue but I am not having much luck. Basically all > of > > the Site A needs to get to only a few devices at each site B&C so I am > > trying to do PREROUTING NAT on the far end systems. I have the tunnels > up > > and I can see the traffic getting to the remote side on ipsec0 but I > just > > can't get it to NAT from the 1.1.1.1 to the real 10.10.1.1. > > > > Command that I think should work > > iptables -t nat -A PREROUTING -i ipsec0 -d 1.1.1.1 -j DNAT --to > 10.10.10.10 > > iptables -t nat -A POSTROUTING -o ipsec0 -s 10.10.10.10 -j SNAT --to > 1.1.1.1 > > > > > > Any ideas? Layout and configs are below. > > > > > > Site A eth0 - 192.168.254.0/24--Internet--Site B eth0 - 10.10.0.0/16 > > \ NAT FROM 1.1.1.1 10.10.1.1 > > example > > \--Internet--Site C eth0 - > > 10.10.0.0/16 > > NAT FROM 1.1.2.1 10.10.1.1 > > example > > > > > > So here is the openswan configurations for your reference: > > > > Site A > > > > conn site_a-to-site_b > > #---------(local side is left side) > > left=<public site a> > > leftsubnet=192.168.254.0/24 > > leftnexthop=%defaultroute > > #---------(remote side is right side) > > right=<public site b> > > rightsubnet=1.1.0.0/16 > > #---------Auto Key Stuff > > pfs=yes > > auth=esp > > authby=secret > > esp=3des-md5-96 > > keylife=8h > > keyingtries=0 > > > > > > Site B > > > > conn site_b-to-site_a > > #---------(local side is left side) > > left=<public site b> > > leftsubnet=1.1.0.0/16 > > leftnexthop=%defaultroute > > #---------(remote side is right side) > > right=<public site a> > > rightsubnet=192.168.254.0/24 > > #---------Auto Key Stuff > > pfs=yes > > auth=esp > > authby=secret > > esp=3des-md5-96 > > keylife=8h > > keyingtries=0 > This looks terribly familiar. Is this an old post come back to life or > was it on one of the *swan lists? I thought we left off with some > discussion of where to do the NAT and that the basic set up described > should work but were unsure about how you knew the packets were not > being NATd correctly. I don't recall a reply after that. Take care - > John Hello John, It was actually on the openswan list and since this is more of an iptables, nat question I moved the post to here. Yes, I did reply and I am still trying to get this working. I have tried a bunch of combinations and have yet to find the answer. > -- > John A. Sullivan III > Chief Technology Officer > Nexus Management > +1 207-985-7880 > john.sullivan@xxxxxxxxxxxxx > --- > If you are interested in helping to develop a GPL enterprise class > VPN/Firewall/Security device management console, please visit > http://iscs.sourceforge.net >
