[Openswan Users] SNAT before ipsec tunnel

Paul Wouters paul at xelerance.com
Tue Sep 20 17:34:38 CEST 2005


On Tue, 20 Sep 2005, Chris Picton wrote:

> I am using a RHEL3 server as a gateway on my home network, connecting to
> a RH7.3 server at my work network.

> The connections are established fine, and from boojum, I can ping
> kerberos and and hosts on the 192.168.10.0/24 range.
>
> Any connections out of my internet device on boojum are being
> MASQUERADED (as I get a dynamic IP).
>
> When I try ping from a machine on my home lan to the 192.168.10.0 range,
> a tcpdump on boojum shows the packets being routed directly out on to
> the internet, and not via the ipsec tunnel.

You cannot use tcpdump on a NETKEY machine, it will not show the actual
results. You will have to hook up the uplink to a hub and verify with
running tcpdump on another machine.

> Some research has pointed me to a post dated Apr 18, 2004.
>> There is a patch in the pom-ng to handle this.
>> SNAT and IPSEC + 2.6 doesn't work with out this patch.
>
> Is this the solution I should be looking for?  Which patch would I use?
> Is this post outdated, and are there are now better solutions?

I think that might still apply.

Regardless, RHEL3 is the worst machine to use for IPsec, as it has a 2.4
kernel with an old broken NETKEY backport. So NETKEY is known to be problematic
and KLIPS cannnot be patched into the kernel because of the backport.

Paul


More information about the Users mailing list