[Openswan Users] DNAT and ipsec?

Wappie MD omight at gmail.com
Sat Mar 17 16:33:22 EDT 2007


I'm running Red Hat 3.4.4-2
Openswan U2.4.4/K2.6.9-22.ELsmp (netkey)
So that is a 2.6 kernel.

I tested it today: if I DNAT from 10.47.. to 10.47..
I do see packets passing through my FORWARD chain.
However if I DNAT from 10.47.. (= also my ipsec leftsubnet) to 10.37..
I _don't_ see packets passing through my FORWARD chain.
In both cases I _do_ see the packets coming in on PREROUTING DNAT.

Is this intended behaviour? Is there any setting i can use in
ipsec.conf to pass the packets through FORWARD when I DNAT from
10.47.. to 10.37.. whilst using leftsubnet is 10.47..

Thanks,
Muha

On 3/17/07, Harald Scharf <h.scharf at nestec.at> wrote:
> Hi,
>
> What is the kernel release, you have in use?
>
> regards
>
> harald
>
> -----Ursprüngliche Nachricht-----
> Von: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Im Auftrag von Wappie MD
> Gesendet: Samstag, 17. März 2007 09:56
> An: users at openswan.org
> Betreff: [Openswan Users] DNAT and ipsec?
>
> Hi,
> I have a question and was wondering if anyone can confirm this.
> I'm DNAT-ting packets from 10.47.0.0 to 10.37.0.0 in iptables.
> Also: my leftsubnet in ipsec.conf is:
> leftsubnet=10.47.0.0/16
>
> I've been looking through my iptables logging and have found that packets arrive on PREROUTING in iptables. After that they dissappear from iptables altogether. I can't find them anymore on either FORWARD or INPUT.
>
> Is this intended behaviour? Is there any setting i can use in ipsec.conf to prevent this from happening? I'm using NETKEY.
>
> thanks heaps for input,
> Muha
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list