[Openswan Users] Kernel 2.6 + IPSEC + SNAT
alain sabban
alain.sabban at wanadoo.fr
Sun Apr 18 18:12:27 CEST 2004
Hi,
This is to share my experience.
For several years I've a working IPSEC connection from home to my company's
office. Currently at home, I have an ADSL connection + a Wifi router and I'm
running Mdk 9.2 (kernel 2.4.22) + superfreeswan 1.99. In order to access my
company's network (x.y.0.0) I had to have an iptable rule :
iptables -t nat -A POSTROUTING -d x.y.0.0/16 -j SNAT --to-source virtual-IP
To access my company network I have to snat all packets to a virtual-IP that
is routed in the company's network.
Recently, I've installed Mdk 10 Community which is based on kernel 2.6.3. I've
installed openswan 2.1.1, modified a bit my ipsec.conf, fixed the "modprobe
modules" bug in _startklips (test -f instead of test -d) thanks to people in
#openswan freenode irc channel. Finally I was successfull to establish the
ipsec tunnel, but no way to do anything : no ping, nothing.
There are several long threads in the netfilter mailing list about problems
with kernel 2.6 + IPSEC + SNAT (see
http://www.uwsg.iu.edu/hypermail/linux/net/0310.0/0005.html). From what I
understand, the problem is mainly due to the disappearance of the ipsecX
devices in ipsec native code in kernel 2.6. It seems a patch is currently
under testing !? Does anybody know more on that ?
The first thing I wanted is to make sure that my problem is really that one.
So here is what I did :
0/ Removed the SNAT iptables rule
1/ I configured a virtual device. For me wlan0:1
2/ I gave the virtual-IP address to this device
3/ I enabled ip_forward
4/ Once my IPSEC tunnel is up, I sent pings like :
ping -I virtual-IP x.y.a.b
5/ Ping responses are received !
Finally I use this workaround (virtual ip) in my ipsec.conf. I've changed the
following lines :
interfaces=%defaultroute by interfaces="ipsec0=wlan0:1"
right=%defaultroute by right=ip.of.wlan0 (not wlan0:1 !)
With that, when the tunnel is established, I have to manually add the route
(the _updown script does not add it !?):
route add -net x.y.0.0 netmask 255.255.0.0 dev wlan0:1
Hope this helps / AS
More information about the Users
mailing list