[Openswan Users] Tunnels come up, but not all traffic goesthrough
Jacco de Leeuw
jacco2 at dds.nl
Sat Jun 12 01:28:28 CEST 2004
Nate Carlson wrote:
> Just for the sake of reference, how would you, for example, tag all data
> that is coming in via IPSec and going out to your internal network (eth1)?
> With klips, it's easy: iptables -I FORWARD -i ipsec0 -o eth1 <...>
There is a similar problem with L2TP-over-IPsec. I prefer not having
the L2TP deamon listen on the external interface. Should IPsec or the
firewall be down for some reason, then the L2TP server would be exposed.
For this reason I use the 'listen-addr' parameter so that l2tpd
only listens on an internal interface (say, 192.168.1.98). Then I
set up a NAT rule like this:
iptables -t nat --append PREROUTING -i ipsec0 -p udp --sport 1701 \
--dport 1701 -j DNAT --to-destination 192.168.1.98
Only L2TP packets coming through the IPsec tunnel will arrive at
the L2TP daemon. But this won't work with 26sec, because there is no
ipsec0. I tried the following but this did not work (icmp udp port 1701
unreachable):
iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
iptables -t nat -A PREROUTING -m mark --mark 1 -i eth0 -p udp \
--sport 1701 --dport 1701 -j DNAT --to-destination 192.168.1.98
The situation might be even more difficult with NAT-Traversal (additional
encapsulation in UDP 4500). Does anyone know a solution to this problem?
Herbert perhaps?
Thanks,
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list