[Openswan Users] OpenSWAN VPN only kinda working

Jeff Williams jwilliams at digitalfairway.com
Wed Jan 5 08:23:29 CET 2005


I believe I am NATing ipsec packets but nothing I have tried will stop 
the NATing of IPSec packets.  The problem I have is how to fix the 
situation if pssible.

There is this comment in the Design-Related Issues of Openswan:

* Using SNAT and the 2.6 ipsec code apparently doesn't go well together.
  Reported by Alexander Samad. Known issue for the netfilter team. DNAT
  works as usual, meaning you have to exlude DNAT'ing packets meant for
  a tunnel.

But I am not sure exactly how it effects me and how to get around it.  I am searching though the netfilter stuff next to see it they provide something that may resolve the issue.

Thanks, Jeff

Paul Wouters wrote:

> On Tue, 4 Jan 2005, Jeff Williams wrote:
>> *nat
>> -A POSTROUTING -o eth0 -j SNAT --to
>> -A PREROUTING -m tcp -p tcp -i eth0 --dport 993 -j DNAT 
>> --to-destination
> You are NAT'ing ipsec packets, causing them to be invalid and dropped?
> And no, I have no idea why 'worked before' with freeswan, it shouldn't 
> have.
> Paul

More information about the Users mailing list