[Openswan Users] NAT-T and netfilter

Clive A Stubbings openswan at vjet.demon.co.uk
Mon Aug 16 02:33:03 CEST 2004

I'm seeing some strange problems trying to NAT traffic out
of my system.

Basically I'm using NAT-T to get all my traffic going out via UDP
port 500. It works fine, except when there is a broken gateway
in the path. What I used to do was just SNAT/DNAT the traffic onto
other ports at this end and back at my server - under superfreeswan
on a 2.4 kernel that was fine.

In openswan on 2.6 kernel the local NAT operations don't seem to work. It
looks like the encapsulated data does not get stuffed back into the
stack in the right place - or the kernel thinks its already been through
the netfilter tables...

The initial tunnel setup works fine. SNAT and DNAT move my source
and dest port to elsewhere and the tunnel is negotiated.

But traffic down the tunnel does not seem to go through the NAT rules
correctly after its encapsulated.

DNAT (in the OUTPUT table) does not seem to happen at all and SNAT  (in
the POSTROUTING table) does work outbound but seems to fail to do the
reverse translation inbound.

Any thoughts?

As an aside, this all used to be so clear when there were 2 devices
(eth0/ipsec0). I could see the data before it got tunnelled and after.
Is there any way to still do that? ie I used to be able to have 2
ethereals running - one showing the packet at each stage..


More information about the Users mailing list