[Openswan Users] question on SNAT and ipsec verify

Frank.Mayer at knapp-systems.com Frank.Mayer at knapp-systems.com
Thu Jan 26 23:40:50 CET 2006


I'm using Kernel 2.4.32 (KLIPS and NATT-patch applied) and OpenS/WAN 2.4.4

I have setup similar to:

private network:

partner A:, tunnel uses e.g.
leftnetwork=, rightnetwork= (range I need to 

partner B:, but use in their network
so I have an iptables-rule
POSTROUTING -s -d -j SNAT --to-source
and for the tunnel I use
leftnetwork=, rightnetwork=,

When I run "ipsec verify" I get messages like
SNAT from to kills tunnel 
(I'd understand that, if I really had a rule SNATing every connection, but 
I don't!)

1) I know that the SNAT rule does not interfere (at least not noticably) 
with the tunnels, since network traffic runs OK.
2) I know this kind of nat does not work at all using a default 2.6-Kernel 
of Debian Sarge (or SuSE SLES9)  and the precompiled ipsec-tools

So,  is this way of SNATing something that is not to be done for tunnels 
and does work on Kernel 2.4 just "by accident", or is this something that 
ipsec verify (and netkey of kernel 2.6) does not handle correctly? 

Thanks in advance for your help and clarification,
Frank Mayer
UNIX Systemadministration
KNAPP Systemintegration GmbH
Waltenbachstrasse 9
8700 Leoben, Austria
Phone: +43 3842 805-921
Fax: +43 3842 82930-921
frank.mayer at knapp-systems.com

More information about the Users mailing list