[Openswan Users] Forwrward decripted traffic with NETKEY

Peter McGill petermcgill at goco.net
Fri Jun 8 13:38:51 EDT 2007


> -----Original Message-----
> From: Administrator [mailto:admin at different-perspectives.com] 
> Sent: June 8, 2007 1:30 PM
> To: petermcgill at goco.net; davorkk at hotmail.com
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Forwrward decripted traffic with NETKEY
> 
> > >
> > > iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark
> > 1 iptables
> > > -t nat -A PREROUTING -m mark --mark 1 -p udp --dport
> > > 1701 -j DNAT
> > > --to localWin2K3
> > >
> >
> > Looks good, do you get any errors when you input them?
> > Is iptables mark enabled in your kernel?
> > Is localWin2K3 a hostname or ip address?
> > If hostname must be in /etc/hosts because iptables runs before dns.
> 
> I would think this is never going to work, as the only 
> packets marked will
> have ESP protocol, and the DNAT will only match marked 
> packets with UDP
> protocol.
> 
> Or have I misunderstood the syntax?

It should work, with NETKEY both encrypted packets and unencrypted appear
On the public (ethX) interface.

The esp packets come in pass through iptables, then to openswan/netkey.
They get marked by the first rule and unencrypted by ipsec.

Then the unencrypted packets are passed through iptables again the mark remains.
Now it is an udp/1701 packet and it matches the second rule...

Peter



More information about the Users mailing list