[Openswan Users] DNAT and ipsec?
Paul Wouters
paul at xelerance.com
Sat Mar 17 19:09:42 EDT 2007
On Sat, 17 Mar 2007, Wappie MD wrote:
> I tested it today: if I DNAT from 10.47.. to 10.47..
> I do see packets passing through my FORWARD chain.
> However if I DNAT from 10.47.. (= also my ipsec leftsubnet) to 10.37..
> I _don't_ see packets passing through my FORWARD chain.
> In both cases I _do_ see the packets coming in on PREROUTING DNAT.
>
> Is this intended behaviour? Is there any setting i can use in
> ipsec.conf to pass the packets through FORWARD when I DNAT from
> 10.47.. to 10.37.. whilst using leftsubnet is 10.47..
I am not sure what you are trying to do. You can't NAT packets to
IP addresses that are not defined in the ipsec connection, and then
execpt them to be tunneled. IPsec tunnels have policies dictating
which packets are allowed to go through. It's not a virtual ethernet.
Paul
More information about the Users
mailing list