[Openswan Users] Forwrward decripted traffic with NETKEY
davor krabse
davorkk at hotmail.com
Fri Jun 8 11:29:19 EDT 2007
I have the production server Debian Sarge, running openswan 2.2.0-8 on
2.4.27 with kernel patch - klips. This ipsec implementation has ipsec
device, so I forward l2tp traffic from ipsec0 device to Windows 2003 Server
that acts like l2tp server. I use DNAT:
iptables -t nat -A PREROUTING -i ipsec0 -p udp --dport 1701 -j DNAT --to
localWin2K3
The ipsec/l2tp configuration works well.
I have a new server now, running Debian Etch on 2.6.18.3 with openswan
2.4.6. I would like to use the native kernel ipsec implementation - NETKEY.
As long as there is no ipsec device in NETKEY, I do not have a simple access
to decripted l2tp traffic.
To solve the problem, some articles on the net suggest using iptables mark
facility to mark packets that were entering INPUT chain in the encapsulated
form (eg. ESP). As far as I understand, decrypted packets appear on
INPUT/FORWARD firewall again, but in unencrypted form. I read that NETKEY
decription preserves mark. So I changed above simple DNAT to:
iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1
iptables -t nat -A PREROUTING -m mark --mark 1 -p udp --dport 1701 -j DNAT
--to localWin2K3
Unfortunatelly there is no l2tp traffic DNATed to localWin2K3. Any ideas??
Davor
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
More information about the Users
mailing list