[Openswan Users] Kernel 2.6 + IPSEC + SNAT

Ken Bantoft ken at xelerance.com
Mon Apr 19 02:11:07 CEST 2004

Thanks for posting this, it helps clean up some of the 2.6 confusion.

A few additional comments, that might help make things easier:

Openswan 2.1.1 and higher have leftsourceip=x.x.x.x as an option,
which will do some iproute2 magic by adding the alias to your default
route device, which might make some of the additional work you did around
wlan0:1 no longer required.

I do something like this:

conn me-to-office

And Openswan assigns the IP to whatever my defaultroute interface is, and 
does the routing magic to make this work as well.  I don't know if this 
will work on 2.6 - perhaps the _updown script needs tweaking to do the 
setkey calls for this.

On Sun, 18 Apr 2004, alain sabban wrote:

> Hi,
> This is to share my experience.
> For several years I've a working IPSEC connection from home to my company's 
> office. Currently at home, I have an ADSL connection + a Wifi router and I'm 
> running Mdk 9.2 (kernel 2.4.22) + superfreeswan 1.99. In order to access my 
> company's network (x.y.0.0) I had to have an iptable rule :
> iptables -t nat -A POSTROUTING  -d x.y.0.0/16 -j SNAT --to-source virtual-IP
> To access my company network I have to snat all packets to a virtual-IP that 
> is routed in the company's network.
> Recently, I've installed Mdk 10 Community which is based on kernel 2.6.3. I've 
> installed openswan 2.1.1, modified a bit my ipsec.conf, fixed the "modprobe 
> modules" bug in _startklips (test -f instead of test -d) thanks to people in 
> #openswan freenode irc channel. Finally I was successfull to establish the 
> ipsec tunnel, but no way to do anything : no ping, nothing.
> There are several long threads in the netfilter mailing list about problems 
> with kernel 2.6 + IPSEC + SNAT (see 
> http://www.uwsg.iu.edu/hypermail/linux/net/0310.0/0005.html). From what I 
> understand, the problem is mainly due to the disappearance of the ipsecX 
> devices in ipsec native code in kernel 2.6. It seems a patch is currently 
> under testing !? Does anybody know more on that ?
> The first thing I wanted is to make sure that my problem is really that one. 
> So here is what I did :
> 0/ Removed the SNAT iptables rule
> 1/ I configured a virtual device. For me wlan0:1
> 2/ I gave the virtual-IP address to this device
> 3/ I enabled ip_forward
> 4/ Once my IPSEC tunnel is up, I sent pings like :
> ping -I virtual-IP x.y.a.b
> 5/ Ping responses are received !
> Finally I use this workaround (virtual ip) in my ipsec.conf. I've changed the 
> following lines :
> interfaces=%defaultroute by interfaces="ipsec0=wlan0:1"
> right=%defaultroute by right=ip.of.wlan0 (not wlan0:1 !)
> With that, when the tunnel is established, I have to manually add the route 
> (the _updown script does not add it !?):
> route add -net x.y.0.0 netmask dev wlan0:1
> Hope this helps / AS

Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Users mailing list