[Openswan Users] routing vpn traffic

Paul Wouters paul at xelerance.com
Mon Jan 2 18:16:59 CET 2006


On Mon, 2 Jan 2006, Michael Tinsay wrote:

> It's my first time to setup openswan using a 2.6 linux
> kernel (netkey).  I understand that there is no more
> ipsec0 interface.  My question is: How do I route vpn
> traffic properly?  In a 2.4 kernel, lan (eth0) to
> internet (eth1) is nat'ed/masqueraded and lan to vpn
> (ipsec0) is routed.  How do I achieve the same thing
> in a 2.6 kernel when all I can see are eth0 and eth1?
> How do I distinguish between a normal Internet traffic
> (for NAT'ing) and IPsec traffice (for routing through
> a tunnel)?

The easiest way is by source and destination. For instance if you have
two subnets (10.0.1.0/24 and 10.0.2.0/24) that are connected by IPsec,
with both IPsec gateways NAT'ing packets, you can do:

iptables -t nat -I POSTROUTING -o ethX -s 10.1.2.0/24 -d \!10.0.2.0/24 -j DNAT [....]

if you have multiple networks, you will need to use various rules with -j ACCEPT

iptables -t nat -I POSTROUTING -o ethX -s 10.1.2.0/24 -d 10.0.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ethX -s 10.1.2.0/24 -d 10.0.3.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ethX -s 10.1.2.0/24 -d 10.0.4.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ethX -s 10.1.2.0/24 -j DNAT [....]

Paul


More information about the Users mailing list