[Openswan Users] SNAT before ipsec tunnel

Trevor Benson TrevorBenson at a-1networks.com
Wed Sep 21 09:03:20 CEST 2005


> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
On
> Behalf Of Paul Wouters
> Sent: Tuesday, September 20, 2005 7:35 AM
> To: Chris Picton
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] SNAT before ipsec tunnel
> 
> On Tue, 20 Sep 2005, Chris Picton wrote:
> 
> > I am using a RHEL3 server as a gateway on my home network,
connecting to
> > a RH7.3 server at my work network.
> 
> > The connections are established fine, and from boojum, I can ping
> > kerberos and and hosts on the 192.168.10.0/24 range.
> >
> > Any connections out of my internet device on boojum are being
> > MASQUERADED (as I get a dynamic IP).

Try this

Iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d ! 192.168.0.0/16 -j
MASQUERADE

This will make sure that your internet network only masquerades when it
heads to a non 192.168.x network. This is of course assuming your doing
a site to site using remote subnets as well.  If your home lan is not in
the 192.168.x range, then try adding whatever it is to the -d ! portion.
You are basically excluding the -d ! network from any masquerade policy


> >
> > When I try ping from a machine on my home lan to the 192.168.10.0
range,
> > a tcpdump on boojum shows the packets being routed directly out on
to
> > the internet, and not via the ipsec tunnel.
> 
> You cannot use tcpdump on a NETKEY machine, it will not show the
actual
> results. You will have to hook up the uplink to a hub and verify with
> running tcpdump on another machine.
> 
> > Some research has pointed me to a post dated Apr 18, 2004.
> >> There is a patch in the pom-ng to handle this.
> >> SNAT and IPSEC + 2.6 doesn't work with out this patch.
> >
> > Is this the solution I should be looking for?  Which patch would I
use?
> > Is this post outdated, and are there are now better solutions?
> 
> I think that might still apply.
> 
> Regardless, RHEL3 is the worst machine to use for IPsec, as it has a
2.4
> kernel with an old broken NETKEY backport. So NETKEY is known to be
> problematic
> and KLIPS cannnot be patched into the kernel because of the backport.
> 
> Paul
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users


More information about the Users mailing list