[Openswan Users] SNAT before IPSec, save my soul.

ted leslie tleslie at tcn.net
Fri Mar 24 16:42:54 CET 2006 

Be nice to have some examples of iptable "policy match",
any resources, or any configs that can be directed to or posted?

i didnt see any at iptables.org

-tl



On Fri, 24 Mar 2006 17:13:24 +0100
"Marco Berizzi" <pupilla at hotmail.com> wrote:

> Adrian R. Sanchez wrote:
> 
> >Can you see what the problem is? I can't get 192.168.0.4 to act like
> >200.0.0.2 before getting into the IPSec tunnel through 140.0.0.2
> 
> This was a problem for linux kernel < 2.6.16rc
> 
> >Now that I have a 2.6.16 kernel + iptables 1.3.5... will a simple command 
> >like:
> >
> >iptables -t nat -A POSTROUTING -s 192.168.0.4 -d 140.0.0.2 -j SNAT --to 
> >200.0.0.2
> >
> >...actually SNAT the packets before they enter the tunnel in the same box?
> 
> Yes. Did you try?
> 
> >Or do I need to issue a more specific syntax for a rule to do this?
> 
> You could also use the new 'policy match' to match packet that are
> subject to ipsec processing. It give you the same functionality as
> ipsecX devices.
> 
> >From man iptables:
> 
> policy
>        This modules matches the policy used by IPsec for
>        handling a packet.
> 
>        --dir in|out
>               Used to select whether to match the policy
>               used for decapsulation or the policy  that
>               will  be  used  for  encapsulation.  in is
>               valid in the PREROUTING, INPUT and FORWARD
>               chains,  out  is valid in the POSTROUTING,
>               OUTPUT and FORWARD chains.
> 
>        --pol none|ipsec
>               Matches if the packet is subject to  IPsec
>               processing.
> 
>        --strict
>               Selects  whether to match the exact policy
>               or match if any rule of the policy matches
>               the given policy.
> 
>        --reqid id
>               Matches  the reqid of the policy rule. The
>               reqid  can  be  specified  with  setkey(8)
>               using unique:id as level.
> 
>        --spi spi
>               Matches the SPI of the SA.
> 
>        --proto ah|esp|ipcomp
>               Matches the encapsulation protocol.
> 
>        --mode tunnel|transport
>               Matches the encapsulation mode.
> 
>        --tunnel-src addr[/mask]
>               Matches  the source end-point address of a
> 	      tunnel mode SA.  Only  valid  with  --mode
>               tunnel.
> 
>        --tunnel-dst addr[/mask]
>               Matches  the destination end-point address
>               of a tunnel  mode  SA.   Only  valid  with
>               --mode tunnel.
> 
>        --next Start the next element in the policy spec-
>               ification. Can only be used with --strict
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list