IP Nat or forward

Vernon A. Fort vfort at provident-solutions.com
Thu Apr 7 15:18:17 CEST 2005

Taylor, Grant wrote:

>Ok, one of us is not understanding the other, and it is likely me.  Normal
>IPSec VPNs run on a netowrk as such:
>[Host A] --- LAN --- [Host B] .... (INET) .... [Host C] --- LAN --- [Host D]
>Where the LAN between Host A and Host B is one IP subnet and the LAN between
>Host C and Host D is another IP subnet, prefferably different than the IP
>subnet on the first LAN.  The VPN in this scenario would be between Host B
>and Host C.  Let's suppose that the hosts have the following IP addresses:
>Host A's LAN IP address is
>Host B's LAN IP address is
>Host B's INet IP address is
>Host C's INet IP address is
>Host C's LAN IP address is
>Host D's LAN IP address is
>In this case the IPSec VPN would be between Host B's INet address of
> and Host C's INet address of  As far as what
>traffic would and would not be NATed, you would NAT all traffic going out to
>the INet from Host B's INet IP address of except the IPSec VPN
>traffic.  More information on how to NAT all traffic but the IPSec VPN
>traffic is avaliable with your IPSec VPN software.  Ask if you need more
>help configuring your NATing on Host B and / or Host C.  You (or your
>counter part an the other LAN would NAT all traffic going out to the INet
>from Host C's INet IP address of except the IPSec VPN traffic.
>Because you have the VPN passing traffic from one LAN to the other LAN you
>don't normaly need to NAT the traffic at all except for in your case you
>have the same IP subnet on both LANs which will mess up normal routing and
>thus you have to augment it via NATing.  I hope this helps clear up some
>things for you.
>Grant. . . .
>>Thanks!  I want to make sure I understand the IPSEC and NAT.  I'm
>>connecting a PUBLIC address to my FIREWALL but NOT including the gateway
>> -> IPSEC ->      # a host to host / ip to
>>ip VPN
>>    NAT    to
>>Since the NAT takes place AFTER the IPSEC traffic, do I really need the
>>NAT-T enabled?
>>Do I just aliase the address or should I do a VLAN?
OK - I have a VPN working WITHOUT nat.  I did try the NAT per your 
example and several others as well as added the nat_traversal=yes in the 
ipsec.conf.  Both servers are stock Fedora Core 3.  The iptables version 
on both does NOT support the --oif option so this may have been the 
reason.  I also cannot confirm if the NAT-Traversal patch in  the kernel 
- I did look.  Heres the layout

    HOSTA   (Vender) (
    HOSTB   (ME)   (

The real hosts this vendor needs access to is but they 
already have a VPN defined with this subnet.  I set this up in a test 
enviorment using an additional FC3 box as the real host.  I was able to 
set an aliases ip address within the 192.168.90 subnet and set a 
postrouting to preform snat and it WORKED - I know this is natting 
outside of the VPN.

An additional thought - the site listed above has a CISCO 2811 router as 
the main WAN router (not internet) and it 'APPEARS' to have NAT 
capabilities.  I guess the easiest way to get this running to configure 
the router to preform DNAT/SNAT if the source and destination matches.  
I can fumble around on the router and know the basic commands but I'm no 
expert.  So, If anyone on the list knows the exact commands to NAT this 
real host - your assistance would be greatly appreciated!  Otherwise, 
I'm off to study the cisco ip nat command structure.


More information about the netfilter mailing list