[Openswan Users] Kernel 2.6 + IPSEC + SNAT

alain sabban alain.sabban at wanadoo.fr
Sun Apr 18 18:12:27 CEST 2004


This is to share my experience.

For several years I've a working IPSEC connection from home to my company's 
office. Currently at home, I have an ADSL connection + a Wifi router and I'm 
running Mdk 9.2 (kernel 2.4.22) + superfreeswan 1.99. In order to access my 
company's network (x.y.0.0) I had to have an iptable rule :

iptables -t nat -A POSTROUTING  -d x.y.0.0/16 -j SNAT --to-source virtual-IP

To access my company network I have to snat all packets to a virtual-IP that 
is routed in the company's network.

Recently, I've installed Mdk 10 Community which is based on kernel 2.6.3. I've 
installed openswan 2.1.1, modified a bit my ipsec.conf, fixed the "modprobe 
modules" bug in _startklips (test -f instead of test -d) thanks to people in 
#openswan freenode irc channel. Finally I was successfull to establish the 
ipsec tunnel, but no way to do anything : no ping, nothing.

There are several long threads in the netfilter mailing list about problems 
with kernel 2.6 + IPSEC + SNAT (see 
http://www.uwsg.iu.edu/hypermail/linux/net/0310.0/0005.html). From what I 
understand, the problem is mainly due to the disappearance of the ipsecX 
devices in ipsec native code in kernel 2.6. It seems a patch is currently 
under testing !? Does anybody know more on that ?

The first thing I wanted is to make sure that my problem is really that one. 
So here is what I did :
0/ Removed the SNAT iptables rule
1/ I configured a virtual device. For me wlan0:1
2/ I gave the virtual-IP address to this device
3/ I enabled ip_forward
4/ Once my IPSEC tunnel is up, I sent pings like :
ping -I virtual-IP x.y.a.b
5/ Ping responses are received !

Finally I use this workaround (virtual ip) in my ipsec.conf. I've changed the 
following lines :
interfaces=%defaultroute by interfaces="ipsec0=wlan0:1"
right=%defaultroute by right=ip.of.wlan0 (not wlan0:1 !)

With that, when the tunnel is established, I have to manually add the route 
(the _updown script does not add it !?):
route add -net x.y.0.0 netmask dev wlan0:1

Hope this helps / AS

More information about the Users mailing list