[Openswan Users] DNAT and ipsec?
Wappie MD
omight at gmail.com
Mon Mar 19 15:35:40 EDT 2007
Sorry, I wasn't very clear on this :)
These packets I see dissappearing are incoming packets I'm trying to
nat from 10.47.. to 10.37..
After DNATting (and seeing them pass by on PREROUTING) I don't see
them passing FORWARD or INPUT in iptables.
I'm using leftsubnet=10.47.0.0/16
I'm on netkey 2.4.4 kernel 2.6.9. and think that this is a known issue?
Is there a patch I can use to update (netfilter?)
I'm on netfilter 1.2.1.1
Or was this already resolved in 2.4.4 netkey?
Muha
On 3/18/07, Paul Wouters <paul at xelerance.com> wrote:
> On Sat, 17 Mar 2007, Wappie MD wrote:
>
> > I tested it today: if I DNAT from 10.47.. to 10.47..
> > I do see packets passing through my FORWARD chain.
> > However if I DNAT from 10.47.. (= also my ipsec leftsubnet) to 10.37..
> > I _don't_ see packets passing through my FORWARD chain.
> > In both cases I _do_ see the packets coming in on PREROUTING DNAT.
> >
> > Is this intended behaviour? Is there any setting i can use in
> > ipsec.conf to pass the packets through FORWARD when I DNAT from
> > 10.47.. to 10.37.. whilst using leftsubnet is 10.47..
>
> I am not sure what you are trying to do. You can't NAT packets to
> IP addresses that are not defined in the ipsec connection, and then
> execpt them to be tunneled. IPsec tunnels have policies dictating
> which packets are allowed to go through. It's not a virtual ethernet.
>
> Paul
>
--
e·clec·tic (-klktk) adj. ~
An individual stroke play game comprising a defined number of rounds.
At the end of the series each of the competitors records his best
score of the series at each hole.
More information about the Users
mailing list