[Openswan Users] question on SNAT and ipsec verify
Frank.Mayer at knapp-systems.com
Frank.Mayer at knapp-systems.com
Thu Jan 26 23:40:50 CET 2006
Hi,
I'm using Kernel 2.4.32 (KLIPS and NATT-patch applied) and OpenS/WAN 2.4.4
I have setup similar to:
private network: 172.20.0.0/16
partner A: 10.20.0.0/16, tunnel uses e.g.
leftnetwork=172.20.0.0616, rightnetwork=10.20.100.0/24 (range I need to
access)
partner B: 192.168.0.0/24, but use 172.16.0.0/12 in their network
so I have an iptables-rule
POSTROUTING -s 172.20.0.0/16 -d 192.168.0.0/24 -j SNAT --to-source
172.21.1.1
and for the tunnel I use
leftnetwork=172.21.1.1/32, rightnetwork=192.168.0.0/24,
When I run "ipsec verify" I get messages like
SNAT from 172.20.0.0/16 to 0.0.0.0/0 kills tunnel 172.20.0.0/16
->192.168.0.0/24
(I'd understand that, if I really had a rule SNATing every connection, but
I don't!)
1) I know that the SNAT rule does not interfere (at least not noticably)
with the tunnels, since network traffic runs OK.
2) I know this kind of nat does not work at all using a default 2.6-Kernel
of Debian Sarge (or SuSE SLES9) and the precompiled ipsec-tools
So, is this way of SNATing something that is not to be done for tunnels
and does work on Kernel 2.4 just "by accident", or is this something that
ipsec verify (and netkey of kernel 2.6) does not handle correctly?
Thanks in advance for your help and clarification,
Frank Mayer
UNIX Systemadministration
----------------------------------------------------
KNAPP Systemintegration GmbH
Waltenbachstrasse 9
8700 Leoben, Austria
----------------------------------------------------
Phone: +43 3842 805-921
Fax: +43 3842 82930-921
frank.mayer at knapp-systems.com
www.knapp.com
More information about the Users
mailing list