[Openswan Users] Forwrward decripted traffic with NETKEY
Ales Klok
orrie at seznam.cz
Sat Jun 9 04:20:53 EDT 2007
davor krabse wrote:
>>> It should work, with NETKEY both encrypted packets and unencrypted appear
>>> On the public (ethX) interface.
>>>
>>> The esp packets come in pass through iptables, then to openswan/netkey.
>>> They get marked by the first rule and unencrypted by ipsec.
>>>
>>> Then the unencrypted packets are passed through iptables again the mark
>>> remains.
>>> Now it is an udp/1701 packet and it matches the second rule...
>>>
>
> Yes, as far as I uderstand it works as Peter described. But we all could be
> wrong :).
> The question is: does NETKEY rereally send encrypted and decrypted packets
> through ipfillter twice, and exactly the same way? I am afraid that
> decrypted packets don't go through PREROUTING and therefore my "decrypted"
> DNAT does not work... I am sure, that something is wrong with ipfilter
> settings, because IPSEC connection between client and linux is established,
> while l2tp is not. Any ideas?
>
> Davor
>
Yes, Peter is right INCOMING tunnel packets flow twice through
netfilter. I'm using iptables mangling on IPSec traffic without problems
on prerouting chain. Check iptables counters with iptables -L -vn and
iptables -L -vn -t nat if your rules get hit. You can try to set default
policy to ACCEPT for testing purposes and finally check flow with tcpdump.
/ak
More information about the Users
mailing list