[Openswan Users] Forwrward decripted traffic with NETKEY
davor krabse
davorkk at hotmail.com
Sat Jun 9 01:11:15 EDT 2007
> > I would think this is never going to work, as the only
> > packets marked will
> > have ESP protocol, and the DNAT will only match marked
> > packets with UDP
> > protocol.
> >
> > Or have I misunderstood the syntax?
>
>It should work, with NETKEY both encrypted packets and unencrypted appear
>On the public (ethX) interface.
>
>The esp packets come in pass through iptables, then to openswan/netkey.
>They get marked by the first rule and unencrypted by ipsec.
>
>Then the unencrypted packets are passed through iptables again the mark
>remains.
>Now it is an udp/1701 packet and it matches the second rule...
Yes, as far as I uderstand it works as Peter described. But we all could be
wrong :).
The question is: does NETKEY rereally send encrypted and decrypted packets
through ipfillter twice, and exactly the same way? I am afraid that
decrypted packets don't go through PREROUTING and therefore my "decrypted"
DNAT does not work... I am sure, that something is wrong with ipfilter
settings, because IPSEC connection between client and linux is established,
while l2tp is not. Any ideas?
Davor
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
More information about the Users
mailing list