[Openswan Users] Kernel 2.6 + SNAT + IPSEC : ok

alain sabban alain.sabban at wanadoo.fr
Tue Jun 29 23:09:19 CEST 2004


Hi,

This is to share my experience and is a final word since finally it works.

Please refer to 
http://lists.openswan.org/pipermail/users/2004-April/000596.html  for the 
beginning of the story.

Recently I've migrated to SuSE 9.1. Two weeks ago, SuSE has released kernel 
2.6.5, which includes the patches : ipsec-01-output-hooks,  
ipsec-02-input-hooks,  ipsec-03-policy-lookup, ipsec-04-policy-checks (as 
pointed by Alexander Samad). These patches allow "snating" of packets before 
they enter the ipsec tunnel (well, at least this is what I understand :).

So finally it works : I can have in the same time, IPSEC tunnels and Internet 
connection with just one interface (wlan0 in my case). Here is what I did :
- removed the wlan0:1 virtual interface (wlan0 is the only interface for 
normal and encrypted packets)
- put back interfaces=%defaultroute in ipsec.conf file
- re-installed the SNAT rules like :
iptables -t nat -A POSTROUTING  -d x.y.0.0/16 -j SNAT --to-source virtual-IP
- inserted in ipsec.conf connections descriptions : leftsourceip=virtual-IP as 
said by Ken Bantoft
- Still have to set up manually the route to private network :
route add -net x.y.0.0 netmask 255.255.0.0 (no device wlan0:1 anymore)
- tcpdump now shows ESP packets

Hope this helps / AS


More information about the Users mailing list