[Openswan Users] Kernel 2.6 + SNAT + IPSEC : ok

Alexander Samad alex at samad.com.au
Wed Jun 30 12:17:18 CEST 2004 

On Tue, Jun 29, 2004 at 10:09:19PM +0200, alain sabban wrote:
> Hi,
> 
> This is to share my experience and is a final word since finally it works.
> 
> Please refer to 
> http://lists.openswan.org/pipermail/users/2004-April/000596.html  for the 
> beginning of the story.
> 
> Recently I've migrated to SuSE 9.1. Two weeks ago, SuSE has released kernel 
> 2.6.5, which includes the patches : ipsec-01-output-hooks,  
> ipsec-02-input-hooks,  ipsec-03-policy-lookup, ipsec-04-policy-checks (as 
> pointed by Alexander Samad). These patches allow "snating" of packets before 
> they enter the ipsec tunnel (well, at least this is what I understand :).
> 
> So finally it works : I can have in the same time, IPSEC tunnels and Internet 
> connection with just one interface (wlan0 in my case). Here is what I did :
> - removed the wlan0:1 virtual interface (wlan0 is the only interface for 
> normal and encrypted packets)
> - put back interfaces=%defaultroute in ipsec.conf file
> - re-installed the SNAT rules like :
> iptables -t nat -A POSTROUTING  -d x.y.0.0/16 -j SNAT --to-source virtual-IP
> - inserted in ipsec.conf connections descriptions : leftsourceip=virtual-IP as 
> said by Ken Bantoft
> - Still have to set up manually the route to private network :
> route add -net x.y.0.0 netmask 255.255.0.0 (no device wlan0:1 anymore)

I use leftupdown=/etc/ipsec.d/scripts/myrouting.sh in my conns script
and then capture certian event to add firewall rules in the right place.

I have placed chains in the filter table  and place the right hooks in
FORWARD and INPUT tables.  All the dynamic info goes into the IPSEC
table

email me off list if you would like a copy of the script (it also passes
onto the original updownscript

> - tcpdump now shows ESP packets
> 
> Hope this helps / AS
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20040630/bfa1fb79/attachment.bin

More information about the Users mailing list