[Openswan Users] Kernel 2.6 + IPSEC + SNAT
ken at xelerance.com
Mon Apr 19 02:11:07 CEST 2004
Thanks for posting this, it helps clean up some of the 2.6 confusion.
A few additional comments, that might help make things easier:
Openswan 2.1.1 and higher have leftsourceip=x.x.x.x as an option,
which will do some iproute2 magic by adding the alias to your default
route device, which might make some of the additional work you did around
wlan0:1 no longer required.
I do something like this:
And Openswan assigns the IP to whatever my defaultroute interface is, and
does the routing magic to make this work as well. I don't know if this
will work on 2.6 - perhaps the _updown script needs tweaking to do the
setkey calls for this.
On Sun, 18 Apr 2004, alain sabban wrote:
> This is to share my experience.
> For several years I've a working IPSEC connection from home to my company's
> office. Currently at home, I have an ADSL connection + a Wifi router and I'm
> running Mdk 9.2 (kernel 2.4.22) + superfreeswan 1.99. In order to access my
> company's network (x.y.0.0) I had to have an iptable rule :
> iptables -t nat -A POSTROUTING -d x.y.0.0/16 -j SNAT --to-source virtual-IP
> To access my company network I have to snat all packets to a virtual-IP that
> is routed in the company's network.
> Recently, I've installed Mdk 10 Community which is based on kernel 2.6.3. I've
> installed openswan 2.1.1, modified a bit my ipsec.conf, fixed the "modprobe
> modules" bug in _startklips (test -f instead of test -d) thanks to people in
> #openswan freenode irc channel. Finally I was successfull to establish the
> ipsec tunnel, but no way to do anything : no ping, nothing.
> There are several long threads in the netfilter mailing list about problems
> with kernel 2.6 + IPSEC + SNAT (see
> http://www.uwsg.iu.edu/hypermail/linux/net/0310.0/0005.html). From what I
> understand, the problem is mainly due to the disappearance of the ipsecX
> devices in ipsec native code in kernel 2.6. It seems a patch is currently
> under testing !? Does anybody know more on that ?
> The first thing I wanted is to make sure that my problem is really that one.
> So here is what I did :
> 0/ Removed the SNAT iptables rule
> 1/ I configured a virtual device. For me wlan0:1
> 2/ I gave the virtual-IP address to this device
> 3/ I enabled ip_forward
> 4/ Once my IPSEC tunnel is up, I sent pings like :
> ping -I virtual-IP x.y.a.b
> 5/ Ping responses are received !
> Finally I use this workaround (virtual ip) in my ipsec.conf. I've changed the
> following lines :
> interfaces=%defaultroute by interfaces="ipsec0=wlan0:1"
> right=%defaultroute by right=ip.of.wlan0 (not wlan0:1 !)
> With that, when the tunnel is established, I have to manually add the route
> (the _updown script does not add it !?):
> route add -net x.y.0.0 netmask 255.255.0.0 dev wlan0:1
> Hope this helps / AS
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users