[Openswan Users] SNAT before IPSec, save my soul.
tleslie at tcn.net
Fri Mar 24 16:42:54 CET 2006
Be nice to have some examples of iptable "policy match",
any resources, or any configs that can be directed to or posted?
i didnt see any at iptables.org
On Fri, 24 Mar 2006 17:13:24 +0100
"Marco Berizzi" <pupilla at hotmail.com> wrote:
> Adrian R. Sanchez wrote:
> >Can you see what the problem is? I can't get 192.168.0.4 to act like
> >188.8.131.52 before getting into the IPSec tunnel through 184.108.40.206
> This was a problem for linux kernel < 2.6.16rc
> >Now that I have a 2.6.16 kernel + iptables 1.3.5... will a simple command
> >iptables -t nat -A POSTROUTING -s 192.168.0.4 -d 220.127.116.11 -j SNAT --to
> >...actually SNAT the packets before they enter the tunnel in the same box?
> Yes. Did you try?
> >Or do I need to issue a more specific syntax for a rule to do this?
> You could also use the new 'policy match' to match packet that are
> subject to ipsec processing. It give you the same functionality as
> ipsecX devices.
> >From man iptables:
> This modules matches the policy used by IPsec for
> handling a packet.
> --dir in|out
> Used to select whether to match the policy
> used for decapsulation or the policy that
> will be used for encapsulation. in is
> valid in the PREROUTING, INPUT and FORWARD
> chains, out is valid in the POSTROUTING,
> OUTPUT and FORWARD chains.
> --pol none|ipsec
> Matches if the packet is subject to IPsec
> Selects whether to match the exact policy
> or match if any rule of the policy matches
> the given policy.
> --reqid id
> Matches the reqid of the policy rule. The
> reqid can be specified with setkey(8)
> using unique:id as level.
> --spi spi
> Matches the SPI of the SA.
> --proto ah|esp|ipcomp
> Matches the encapsulation protocol.
> --mode tunnel|transport
> Matches the encapsulation mode.
> --tunnel-src addr[/mask]
> Matches the source end-point address of a
> tunnel mode SA. Only valid with --mode
> --tunnel-dst addr[/mask]
> Matches the destination end-point address
> of a tunnel mode SA. Only valid with
> --mode tunnel.
> --next Start the next element in the policy spec-
> ification. Can only be used with --strict
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users