[Openswan Users] SNAT before IPSec, save my soul.
"Adrián R. Sanchez"
adrian_sanchez at actionline.com.ar
Fri Mar 24 11:19:33 CET 2006
> There is not iptables patches nor POM. The combination
> is linux vanilla 2.6.16 & iptables 1.3.5. Nothing
Ok. I've just installed a fresh copy of Fedora Core 5, which ships with:
- iptables 1.3.5
- kernel 2.6.15-1.2054_FC5
- OpenSWAN 2.4.4-22.214.171.124
Then I installed kernel 2.6.16-1.2069_FC5, which is still under the
"Test" branch, but did install and boot with no problems at all.
I am trying to keep this as standard as possible, avoiding any type of
compiling, etc. Just a fresh OS and the additional 2.6.16 kernel rpm.
> Draw your network schema.
My setup is very easy. Just imagine a simple IPSec tunnel connecting two
private hosts. Well, I need my left private host to get into the tunnel,
but using one of my many OpenSWAN public IP address aliases:
- 192.168.0.4 is my internal host.
- 126.96.36.199 is my IPSec gateway, it also has an IP alias of 188.8.131.52
which is reserved for my internal host via nat. In other words, anyone
can access 192.168.0.4 from the internet, by pointing at 184.108.40.206
- 220.127.116.11 is my remote ipsec gateway of which I have no control
whatsoever. That's my ipsec peer which grants me access to 18.104.22.168:
presumably an internal, SNAT'ed host, too (but they're not using Linux
to do that... I've already asked).
Can you see what the problem is? I can't get 192.168.0.4 to act like
22.214.171.124 before getting into the IPSec tunnel through 126.96.36.199
Now that I have a 2.6.16 kernel + iptables 1.3.5... will a simple
iptables -t nat -A POSTROUTING -s 192.168.0.4 -d 188.8.131.52 -j SNAT --to
...actually SNAT the packets before they enter the tunnel in the same box?
Or do I need to issue a more specific syntax for a rule to do this?
More information about the Users