[Openswan Users] SNAT before ipsec tunnel

Chris Picton chrisp at tangent.co.za
Wed Sep 21 10:51:14 CEST 2005


On Tue, 2005-09-20 at 16:34 +0200, Paul Wouters wrote:
> > When I try ping from a machine on my home lan to the 192.168.10.0 range,
> > a tcpdump on boojum shows the packets being routed directly out on to
> > the internet, and not via the ipsec tunnel.
> 
> You cannot use tcpdump on a NETKEY machine, it will not show the actual
> results. You will have to hook up the uplink to a hub and verify with
> running tcpdump on another machine.

I had thought that, but thought it may give me some data at least.

> 
> > Some research has pointed me to a post dated Apr 18, 2004.
> >> There is a patch in the pom-ng to handle this.
> >> SNAT and IPSEC + 2.6 doesn't work with out this patch.
> >
> > Is this the solution I should be looking for?  Which patch would I use?
> > Is this post outdated, and are there are now better solutions?
> 
> I think that might still apply.
> 
> Regardless, RHEL3 is the worst machine to use for IPsec, as it has a 2.4
> kernel with an old broken NETKEY backport. So NETKEY is known to be problematic
> and KLIPS cannnot be patched into the kernel because of the backport.

I have been able to compile the KLIPS ipsec.o kernel module from
openswan 2.1.5.  This does seem to work (as I now get the ipsecX
interfaces).  I am just testing the NAT-T support in the kernel.

Are there any security issues with using an old version of openswan?

Regards

Chris


> 
> Paul



More information about the Users mailing list