[Openswan Users] NAT based upon tunnel

Michael Richardson mcr at xelerance.com
Wed Oct 6 15:27:10 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >> I lost you a bit here, Paul.  We normally do NAT before the
    >> tunnel but we can't here. Of course, you may mean locally as the
    >> Head Office Gateway.  If that is the case, how would I do such a
    >> thing.  I assume I can change the IP before it hits KLIPS but
    >> that would merely act on the ESP packet and be meaningless to the
    >> inside.  Have I misunderstood you?

    Paul> I was more thinking of a seperate ipsecX device here, eg bound
    Paul> to an IP alias, as the means to 'tag' the traffic before
    Paul> encryption.

  At present, KLIPS is supposed to set the fwmark one each packet based
upon the tunnel which it emerged from. The number used is allocated by
KLIPS. 
  What is missing is that it needs to communicated through pluto to the
_updown script. You'd use a custom _updown script, and then you could do
what you want.

  This work was done to support OE and VPN policies at the same time, 
and was not finished.

  If you can get the system to use different ipsecX devices, then you
realize that the packets will emerge from the different devices.

  Finally, you could use a different gateway system at HQ.

    >>> AFAIK, klips has no idea about marking packets. You might get
    >>> the desired result by using hidetos=no but it likely won't be
    >>> copying all the IP options of the plaintext packets. Perhaps
    >>> Michael can answer this question.

    >> Ouch! If that's the case, then I am probably forced into the
    >> KAME, Racoon and the native IPSec implementation unless someone
    >> else can figure out how to distinguish the packets from OfficeB
    >> from the packets from OfficeA within iptables.
    >> 
    >> Does anyone know authoritatively if the mark survives decryption?

    Paul> Michael?

  It intentionally does not.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQWQ49YqHRg3pndX9AQEsfgP7B/jzyu6rvySTmoCd1G2xtB4rmX4Pm2iZ
lqBKEeUS0hqx4LeorFsb6Y7CnwkWx3hxvioEk9eW2FRLmuMaN/hvbC1JS2GV28s/
4lF+Aq0YUzTiFipJuFLNz/k1C0C/xdzOJwx04E9lBoFHvy+f7pv2ZjOf1qL2mmYG
BIPtLgOmn9g=
=IIli
-----END PGP SIGNATURE-----


More information about the Users mailing list