[Openswan Users] SNAT before OpenSwan, same box?
"Adrián R. Sanchez"
adrian_sanchez at actionline.com.ar
Fri Mar 17 10:37:57 CET 2006
I'm sorry to be so unspecific.
My questions are on a standard installation of OpenSwan 2.3.1-1 over
2.6.5-1.358 Kernel (Fedora Core 2). I believe this means SETKEY and not
KLIPS right?
Do I need to get into some upgrading and patching stuff to get this to work?
Thanks,
Adrián.
Paul Wouters wrote:
> On Fri, 17 Mar 2006, "Adrián R. Sanchez" wrote:
>
>> Where in the kernel packet flow is located OpenSwan?
>
> Depends on whether you are using NETKEY or KLIPS.
>
>> Is it after or before the POSTROUTING table?
>
> With KLIPS it is like any other interface, since it uses the seperate ipsecX
> interface. With NETKEY, things depend a bit on the kernel version, and is
> rather strange. You'd need the latest 2.6. kernel for Patrick Hardy's SNAT+IPsec
> fixes.
>
>> In other words, can I SNAT packets before they get into an OpenSwan tunnel
>> just like I do it in a Cisco VPN terminator by removing the "no nat" command?
>
> With KLIPS, yes.
>
> Paul
--
Adrián R. Sanchez
Dpto. de Tecnología
Actionline de Argentina S.A.
Viamonte 570 (C1053ABL)
Buenos Aires, Argentina
Tel.: +54 11 5093-3905
More information about the Users
mailing list