[Openswan Users] routing vpn traffic
Paul Wouters
paul at xelerance.com
Mon Jan 2 18:16:59 CET 2006
On Mon, 2 Jan 2006, Michael Tinsay wrote:
> It's my first time to setup openswan using a 2.6 linux
> kernel (netkey). I understand that there is no more
> ipsec0 interface. My question is: How do I route vpn
> traffic properly? In a 2.4 kernel, lan (eth0) to
> internet (eth1) is nat'ed/masqueraded and lan to vpn
> (ipsec0) is routed. How do I achieve the same thing
> in a 2.6 kernel when all I can see are eth0 and eth1?
> How do I distinguish between a normal Internet traffic
> (for NAT'ing) and IPsec traffice (for routing through
> a tunnel)?
The easiest way is by source and destination. For instance if you have
two subnets (10.0.1.0/24 and 10.0.2.0/24) that are connected by IPsec,
with both IPsec gateways NAT'ing packets, you can do:
iptables -t nat -I POSTROUTING -o ethX -s 10.1.2.0/24 -d \!10.0.2.0/24 -j DNAT [....]
if you have multiple networks, you will need to use various rules with -j ACCEPT
iptables -t nat -I POSTROUTING -o ethX -s 10.1.2.0/24 -d 10.0.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ethX -s 10.1.2.0/24 -d 10.0.3.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ethX -s 10.1.2.0/24 -d 10.0.4.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ethX -s 10.1.2.0/24 -j DNAT [....]
Paul
More information about the Users
mailing list