[clug] IPSEC (racoon) - ip route and SNAT assistance

Neil Symons neil.symons at gmail.com
Mon Nov 2 01:43:58 UTC 2015


I was wondering if anyone could assist me in getting a VPN tunnel to work
with a specific vendor which requires our VPN end points to be Public IP
addresses to go down a ipsec tunnel.

Lets say my Site (call it site-A) connects to other site (called Site-B)

Phase 1 is working fine.

I have two other systems which are not on the same subnet in the public IP
address space needing to go down this tunnel. However they are on the same
subnet with their private IP addresses (

Site B is fixed to only communicate to my public IP address (unable to
change this)

With some magic of ip route and iptables I believe I can route traffic from
my Machines under the public IP space to hop to the VPN private IP address
and be advertised as the src of the Public IP address when entering the

I know I can see by using an ip route <dest address> via <private VPN gw
address> src <my private IP address> would get the packet over
and using some sort of iptables -t nat -s <IP1> -d <IP2> -j SNAT --to <IP3>
is needed to delivery the packet down the tunnel.

I was wondering is anyone want to assist in getting things working for me?

I am hitting a wall knowing there is an obvious solution but I think I am
entering in details wrong or I am going completely the wrong way about it.


Neil Symons

More information about the linux mailing list