[Openswan Users] SNAT before OpenSwan, same box?

"Adrián R. Sanchez" adrian_sanchez at actionline.com.ar
Fri Mar 17 15:08:17 CET 2006


Just what I needed to know, thank you all very much.

Adrián.

Marco Berizzi wrote:
> Paul Wouters wrote:
> 
>> On Fri, 17 Mar 2006, "Adri=E1n R. Sanchez" wrote:
>>
>>> Where in the kernel packet flow is located OpenSwan?
>> Depends on whether you are using NETKEY or KLIPS.
>>
>>> Is it after or before the POSTROUTING table?
>> With KLIPS it is like any other interface, since it uses the seperate
> ipsecX
>> interface. With NETKEY, things depend a bit on the kernel version, and
> is
>> rather strange. You'd need the latest 2.6. kernel for Patrick Hardy's
> SNAT+=
>> IPsec
>> fixes.
> 
> IPsec on NETKEY and NAT are fine since linux
> 2.6.16-rc1. You should also upgrade to iptables
> 1.3.5: there is the new 'policy match' which
> give you very granular control over ipsec packets.
> I have placed a couple of 2.6.16-rc3 in production
> environment with osw 2.4.5-rc4: three weeks uptime,
> and no problem. However, I think (hope) next week
> will be released 2.6.16 final (I hope also openswan
> 2.4.5 will be released).
> 
> 

-- 

Adrián R. Sanchez
Dpto. de Tecnología

Actionline de Argentina S.A.
Viamonte 570 (C1053ABL)
Buenos Aires, Argentina
Tel.: +54 11 5093-3905



More information about the Users mailing list