From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Gale Subject: Re: NAT issues on a VPN tunnel Date: Wed, 03 Nov 2004 08:06:31 -0700 Message-ID: <4188F3F7.3020305@utilitran.com> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Chris Lyon , netfilter@lists.netfilter.org Hello, Before you start adding in customer NAT rules are you sure that end point to end point work ? If the VPN device is setup on the gw box or the router has a route of the network on the other side of the VPN you will not need to NAT any traffic. We have a VPN device plugged into a production network at a IDC, the default gw is the firewall, not the VPN device and we did not want to add a static route on the firewall. So on the VPN device, we SNAT all packets that leave that machine to it's local IP. That way all connections that come in from the VPN look like they came from the VPN device. Michael. Chris Lyon wrote: > So, I am trying to use NAT to solve the problem below because of an IP > addressing conflict issue but I am not having much luck. Basically all of > the Site A needs to get to only a few devices at each site B&C so I am > trying to do PREROUTING NAT on the far end systems. I have the tunnels up > and I can see the traffic getting to the remote side on ipsec0 but I just > can't get it to NAT from the 1.1.1.1 to the real 10.10.1.1. > > Command that I think should work > iptables -t nat -A PREROUTING -i ipsec0 -d 1.1.1.1 -j DNAT --to 10.10.10.10 > iptables -t nat -A POSTROUTING -o ipsec0 -s 10.10.10.10 -j SNAT --to 1.1.1.1 > > > Any ideas? Layout and configs are below. > > > Site A eth0 - 192.168.254.0/24--Internet--Site B eth0 - 10.10.0.0/16 > \ NAT FROM 1.1.1.1 10.10.1.1 > example > \--Internet--Site C eth0 - > 10.10.0.0/16 > NAT FROM 1.1.2.1 10.10.1.1 > example > > > So here is the openswan configurations for your reference: > > Site A > > conn site_a-to-site_b > #---------(local side is left side) > left= > leftsubnet=192.168.254.0/24 > leftnexthop=%defaultroute > #---------(remote side is right side) > right= > rightsubnet=1.1.0.0/16 > #---------Auto Key Stuff > pfs=yes > auth=esp > authby=secret > esp=3des-md5-96 > keylife=8h > keyingtries=0 > > > Site B > > conn site_b-to-site_a > #---------(local side is left side) > left= > leftsubnet=1.1.0.0/16 > leftnexthop=%defaultroute > #---------(remote side is right side) > right= > rightsubnet=192.168.254.0/24 > #---------Auto Key Stuff > pfs=yes > auth=esp > authby=secret > esp=3des-md5-96 > keylife=8h > keyingtries=0 > > > > > > > -- Michael Gale Lan Administrator Utilitran Corp. We Pledge Allegiance to the Penguin