[Openswan Users] SNAT before OpenSwan, same box?

"Adrián R. Sanchez" adrian_sanchez at actionline.com.ar
Fri Mar 17 10:37:57 CET 2006

I'm sorry to be so unspecific.

My questions are on a standard installation of OpenSwan 2.3.1-1 over
2.6.5-1.358 Kernel (Fedora Core 2). I believe this means SETKEY and not
KLIPS right?

Do I need to get into some upgrading and patching stuff to get this to work?



Paul Wouters wrote:
> On Fri, 17 Mar 2006, "Adrián R. Sanchez" wrote:
>> Where in the kernel packet flow is located OpenSwan?
> Depends on whether you are using NETKEY or KLIPS.
>> Is it after or before the POSTROUTING table?
> With KLIPS it is like any other interface, since it uses the seperate ipsecX
> interface. With NETKEY, things depend a bit on the kernel version, and is
> rather strange. You'd need the latest 2.6. kernel for Patrick Hardy's SNAT+IPsec
> fixes.
>> In other words, can I SNAT packets before they get into an OpenSwan tunnel
>> just like I do it in a Cisco VPN terminator by removing the "no nat" command?
> With KLIPS, yes.
> Paul


Adrián R. Sanchez
Dpto. de Tecnología

Actionline de Argentina S.A.
Viamonte 570 (C1053ABL)
Buenos Aires, Argentina
Tel.: +54 11 5093-3905

More information about the Users mailing list