[Openswan Users] SNAT before IPSec, save my soul.

Marco Berizzi pupilla at hotmail.com
Fri Mar 24 17:13:24 CET 2006

Adrian R. Sanchez wrote:

>Can you see what the problem is? I can't get to act like
> before getting into the IPSec tunnel through

This was a problem for linux kernel < 2.6.16rc

>Now that I have a 2.6.16 kernel + iptables 1.3.5... will a simple command 
>iptables -t nat -A POSTROUTING -s -d -j SNAT --to 
>...actually SNAT the packets before they enter the tunnel in the same box?

Yes. Did you try?

>Or do I need to issue a more specific syntax for a rule to do this?

You could also use the new 'policy match' to match packet that are
subject to ipsec processing. It give you the same functionality as
ipsecX devices.

>From man iptables:

       This modules matches the policy used by IPsec for
       handling a packet.

       --dir in|out
              Used to select whether to match the policy
              used for decapsulation or the policy  that
              will  be  used  for  encapsulation.  in is
              valid in the PREROUTING, INPUT and FORWARD
              chains,  out  is valid in the POSTROUTING,
              OUTPUT and FORWARD chains.

       --pol none|ipsec
              Matches if the packet is subject to  IPsec

              Selects  whether to match the exact policy
              or match if any rule of the policy matches
              the given policy.

       --reqid id
              Matches  the reqid of the policy rule. The
              reqid  can  be  specified  with  setkey(8)
              using unique:id as level.

       --spi spi
              Matches the SPI of the SA.

       --proto ah|esp|ipcomp
              Matches the encapsulation protocol.

       --mode tunnel|transport
              Matches the encapsulation mode.

       --tunnel-src addr[/mask]
              Matches  the source end-point address of a
	      tunnel mode SA.  Only  valid  with  --mode

       --tunnel-dst addr[/mask]
              Matches  the destination end-point address
              of a tunnel  mode  SA.   Only  valid  with
              --mode tunnel.

       --next Start the next element in the policy spec-
              ification. Can only be used with --strict

More information about the Users mailing list