[Openswan Users] SNAT before IPSec, save my soul.

Marco Berizzi pupilla at hotmail.com
Mon Mar 27 11:01:13 CEST 2006


ted leslie wrote:

> any resources

Here is an example:

iptables -A FORWARD -m policy --dir out
--pol ipsec --mode tunnel --tunnel-src
172.16.1.247 --tunnel-dst 172.16.1.226
-j ACCEPT

iptables -A FORWARD -m policy --dir in
--pol ipsec --mode tunnel --tunnel-dst
172.16.1.247 --tunnel-src 172.16.1.226
-j ACCEPT

172.16.1.247 and 172.16.1.226 are the
tunnel ipsec endpoint addresses. These
two rules match (and accept) packets
inside the ipsec tunnel(s) from these
ipsec endpoint.
These two rules are equivalent to '-o
ipsecX' and '-i ipsecX' respectively.
On the same rule you may also add '-s'
and/or '-d' parameters, for example:

iptables -A FORWARD -m policy --dir out
--pol ipsec --mode tunnel --tunnel-src
172.16.1.247 --tunnel-dst 172.16.1.226
-s 192.168.10.0/24 -d 10.55.77.0/24
-j ACCEPT (or DROP)

This rule accept/drop packets from the
172.16.1.247 ipsec endpoint (out dir)
to the 172.16.1.226 ipsec endpoint;
"clear text" packets must be from
192.168.10.0/24 network to 10.55.77.0/24
network.



More information about the Users mailing list