[Openswan Users] SNAT before IPSec, save my soul.

"Adrián R. Sanchez" adrian_sanchez at actionline.com.ar
Fri Mar 24 11:19:33 CET 2006


> 
> There is not iptables patches nor POM. The combination
> is linux vanilla 2.6.16 & iptables 1.3.5. Nothing
> else.

Ok. I've just installed a fresh copy of Fedora Core 5, which ships with:

- iptables 1.3.5
- kernel 2.6.15-1.2054_FC5
- OpenSWAN 2.4.4-1.1.2.1

Then I installed kernel 2.6.16-1.2069_FC5, which is still under the 
"Test" branch, but did install and boot with no problems at all.

I am trying to keep this as standard as possible, avoiding any type of 
compiling, etc. Just a fresh OS and the additional 2.6.16 kernel rpm.


> 
> Draw your network schema.

My setup is very easy. Just imagine a simple IPSec tunnel connecting two
private hosts. Well, I need my left private host to get into the tunnel, 
but using one of my many OpenSWAN public IP address aliases:

192.168.0.4--200.0.0.1==140.0.0.1--140.0.0.2
              200.0.0.2

- 192.168.0.4 is my internal host.

- 200.0.0.1 is my IPSec gateway, it also has an IP alias of 200.0.0.2
which is reserved for my internal host via nat. In other words, anyone 
can access 192.168.0.4 from the internet, by pointing at 200.0.0.2

- 140.0.0.1 is my remote ipsec gateway of which I have no control
whatsoever. That's my ipsec peer which grants me access to 140.0.0.2:
presumably an internal, SNAT'ed host, too (but they're not using Linux 
to do that... I've already asked).

Can you see what the problem is? I can't get 192.168.0.4 to act like
200.0.0.2 before getting into the IPSec tunnel through 140.0.0.2

Now that I have a 2.6.16 kernel + iptables 1.3.5... will a simple 
command like:

iptables -t nat -A POSTROUTING -s 192.168.0.4 -d 140.0.0.2 -j SNAT --to 
200.0.0.2

...actually SNAT the packets before they enter the tunnel in the same box?

Or do I need to issue a more specific syntax for a rule to do this?


Thanks!



More information about the Users mailing list