[Openswan Users] SNAT before ipsec tunnel
Chris Picton
chrisp at tangent.co.za
Wed Sep 21 10:51:14 CEST 2005
On Tue, 2005-09-20 at 16:34 +0200, Paul Wouters wrote:
> > When I try ping from a machine on my home lan to the 192.168.10.0 range,
> > a tcpdump on boojum shows the packets being routed directly out on to
> > the internet, and not via the ipsec tunnel.
>
> You cannot use tcpdump on a NETKEY machine, it will not show the actual
> results. You will have to hook up the uplink to a hub and verify with
> running tcpdump on another machine.
I had thought that, but thought it may give me some data at least.
>
> > Some research has pointed me to a post dated Apr 18, 2004.
> >> There is a patch in the pom-ng to handle this.
> >> SNAT and IPSEC + 2.6 doesn't work with out this patch.
> >
> > Is this the solution I should be looking for? Which patch would I use?
> > Is this post outdated, and are there are now better solutions?
>
> I think that might still apply.
>
> Regardless, RHEL3 is the worst machine to use for IPsec, as it has a 2.4
> kernel with an old broken NETKEY backport. So NETKEY is known to be problematic
> and KLIPS cannnot be patched into the kernel because of the backport.
I have been able to compile the KLIPS ipsec.o kernel module from
openswan 2.1.5. This does seem to work (as I now get the ipsecX
interfaces). I am just testing the NAT-T support in the kernel.
Are there any security issues with using an old version of openswan?
Regards
Chris
>
> Paul
More information about the Users
mailing list