[Openswan Users] SNAT before IPSec, save my soul.
Marco Berizzi
pupilla at hotmail.com
Fri Mar 24 17:13:24 CET 2006
Adrian R. Sanchez wrote:
>Can you see what the problem is? I can't get 192.168.0.4 to act like
>200.0.0.2 before getting into the IPSec tunnel through 140.0.0.2
This was a problem for linux kernel < 2.6.16rc
>Now that I have a 2.6.16 kernel + iptables 1.3.5... will a simple command
>like:
>
>iptables -t nat -A POSTROUTING -s 192.168.0.4 -d 140.0.0.2 -j SNAT --to
>200.0.0.2
>
>...actually SNAT the packets before they enter the tunnel in the same box?
Yes. Did you try?
>Or do I need to issue a more specific syntax for a rule to do this?
You could also use the new 'policy match' to match packet that are
subject to ipsec processing. It give you the same functionality as
ipsecX devices.
>From man iptables:
policy
This modules matches the policy used by IPsec for
handling a packet.
--dir in|out
Used to select whether to match the policy
used for decapsulation or the policy that
will be used for encapsulation. in is
valid in the PREROUTING, INPUT and FORWARD
chains, out is valid in the POSTROUTING,
OUTPUT and FORWARD chains.
--pol none|ipsec
Matches if the packet is subject to IPsec
processing.
--strict
Selects whether to match the exact policy
or match if any rule of the policy matches
the given policy.
--reqid id
Matches the reqid of the policy rule. The
reqid can be specified with setkey(8)
using unique:id as level.
--spi spi
Matches the SPI of the SA.
--proto ah|esp|ipcomp
Matches the encapsulation protocol.
--mode tunnel|transport
Matches the encapsulation mode.
--tunnel-src addr[/mask]
Matches the source end-point address of a
tunnel mode SA. Only valid with --mode
tunnel.
--tunnel-dst addr[/mask]
Matches the destination end-point address
of a tunnel mode SA. Only valid with
--mode tunnel.
--next Start the next element in the policy spec-
ification. Can only be used with --strict
More information about the Users
mailing list