[Openswan Users] Kernel 2.6 + SNAT + IPSEC : ok
alain sabban
alain.sabban at wanadoo.fr
Tue Jun 29 23:09:19 CEST 2004
Hi,
This is to share my experience and is a final word since finally it works.
Please refer to
http://lists.openswan.org/pipermail/users/2004-April/000596.html for the
beginning of the story.
Recently I've migrated to SuSE 9.1. Two weeks ago, SuSE has released kernel
2.6.5, which includes the patches : ipsec-01-output-hooks,
ipsec-02-input-hooks, ipsec-03-policy-lookup, ipsec-04-policy-checks (as
pointed by Alexander Samad). These patches allow "snating" of packets before
they enter the ipsec tunnel (well, at least this is what I understand :).
So finally it works : I can have in the same time, IPSEC tunnels and Internet
connection with just one interface (wlan0 in my case). Here is what I did :
- removed the wlan0:1 virtual interface (wlan0 is the only interface for
normal and encrypted packets)
- put back interfaces=%defaultroute in ipsec.conf file
- re-installed the SNAT rules like :
iptables -t nat -A POSTROUTING -d x.y.0.0/16 -j SNAT --to-source virtual-IP
- inserted in ipsec.conf connections descriptions : leftsourceip=virtual-IP as
said by Ken Bantoft
- Still have to set up manually the route to private network :
route add -net x.y.0.0 netmask 255.255.0.0 (no device wlan0:1 anymore)
- tcpdump now shows ESP packets
Hope this helps / AS
More information about the Users
mailing list