[Openswan Users] SNAT ipsec issue kern2.4-> 2.6, no ipsec0,is this the NAT-T patch issue, or fixed by some scary looking mangle/mark iptables rule?

ted leslie tleslie at tcn.net
Mon Jan 30 18:05:35 CET 2006

I have converted from 2.4 - > 2.6 kernel and thus loose  ipsecX interfaces.
If i have a tunnel that i use my true source address on , it works,
but if i SNAT my source IP on the way out (before the tunnel) as i did in 2.4 kernel,
the packet doesnt get ESP'd , it just gets routed out normal.

So it appears that the ipsec "match" happens first?
and if a SNAT happens, one is SOL ?

i am reading stuff about NAT-T kernel patch, etc, but i am not sure this helps me?
and i can't really alter the kernel on this device at this time.

i just happen to have two devices, so to temporarily fix it,
i do a SNAT on a different device, then route the packet to the VPN gateway, which 
because it see the  source and destination IP's exactly as it want them to 
match the VPN gateway route, it ESP's the packet and it works fine,

but surely i can do all this on the one box,
i.e. iptables, and openswan on a single linux box, and SNAT, and have it work?

i see hints that  iproute2, iptables mangle and mark, and a bunch of other voodoo might
provide a trick to making this work?

Any help would be appreciated.


More information about the Users mailing list