I want to do twice nat.
Design is:
LAN - A 192.168.1.10/24 OpenSwan VPN Public IP 5.5.5.5 <------VPN-----> Public IP 6.6.6.6 Open Swan --- > LAN B 192.168.1.20/24
When i ping from source 192.168.1.10
I want to change source to 1.1.1.x/24
and destination to 2.2.2.10/24
So machine in LAN A 192.168.1.10
will ping destination 2.2.2.10
with source nat IP 1.1.1.10
and packet will hit 192.168.1.20
Due to overlapping subnet I cannot put route of 192.168.1.20
in LAN routing table as it conflicts, so i want to ping a dummy IP 2.2.2.10
and when packet reach Openswan VPN box it make destination translation to 192.168.1.20
So what would be NAT statement on Site A OpenSwan?
( Note i dont have access to site B openswan , so all changes required on Site A openswan )
Best Answer
Is there a requirement for LAN A and LAN B to use the same subnet, or could that be changed?
I also sincerely hope the 1.1.xx and 2.2.xx IPs you give are purely illustrative - in the real world, you would want to use RFC1918 addresses.
On a basic level, what you describe is applying both Source and Destination NAT, i.e. SNAT and DNAT.
So in theory, the below should work:
Unfortunately, if you do not have access to site B's VPN server, then this will not work.
And the reason it will not work is that while the machine on LAN A is trying to reach 1.1.1.10, your LAN A VPN server needs to translate that back to 192.168.1.20. There is also the issue of what LAN B's VPN server should do with the 1.1.1.10 source IP - you would need routing in place for the packet to be sent back to its originator, and it seems (to me) a whole lot simpler to just have LAN A use 10.1.1.1/24
And as you have mentioned, you can't make your LAN A VPN server route correctly to 192.168.1.20, because your LAN A VPN server believes that subnet to be local to it.
Adding a specific route might help (e.g. ip r add 192.168.1.20/32 via IP), but this all sounds a little brittle - I would have thought a much more workable solution would be to split your /24, and assign a /25 on either side of your VPN (if you must maintain the same LAN IPs on both ends).
So I would tend to think your best bet is trying to change LAN A.
A different /24 from B's would work, and it would also work to have a /25 on either side of the tunnel.