[Openswan Users] SNAT before OpenSwan, same box?

Paul Wouters paul at xelerance.com
Fri Mar 17 14:33:10 CET 2006

On Fri, 17 Mar 2006, "Adrián R. Sanchez" wrote:

> Where in the kernel packet flow is located OpenSwan?

Depends on whether you are using NETKEY or KLIPS.

> Is it after or before the POSTROUTING table?

With KLIPS it is like any other interface, since it uses the seperate ipsecX
interface. With NETKEY, things depend a bit on the kernel version, and is
rather strange. You'd need the latest 2.6. kernel for Patrick Hardy's SNAT+IPsec

> In other words, can I SNAT packets before they get into an OpenSwan tunnel
> just like I do it in a Cisco VPN terminator by removing the "no nat" command?

With KLIPS, yes.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list