[Openswan Users] Forwrward decripted traffic with NETKEY

davor krabse davorkk at hotmail.com
Sat Jun 9 01:11:15 EDT 2007


> > I would think this is never going to work, as the only
> > packets marked will
> > have ESP protocol, and the DNAT will only match marked
> > packets with UDP
> > protocol.
> >
> > Or have I misunderstood the syntax?
>
>It should work, with NETKEY both encrypted packets and unencrypted appear
>On the public (ethX) interface.
>
>The esp packets come in pass through iptables, then to openswan/netkey.
>They get marked by the first rule and unencrypted by ipsec.
>
>Then the unencrypted packets are passed through iptables again the mark 
>remains.
>Now it is an udp/1701 packet and it matches the second rule...

Yes, as far as I uderstand it works as Peter described. But we all could be 
wrong :).
The question is: does NETKEY rereally send encrypted and decrypted packets 
through ipfillter twice, and exactly the same way? I am afraid that 
decrypted packets don't go through PREROUTING and therefore my "decrypted" 
DNAT does not work... I am sure, that something is wrong with ipfilter 
settings, because IPSEC connection between client and linux is established, 
while l2tp is not. Any ideas?

Davor

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/



More information about the Users mailing list