[Openswan Users] DNAT and ipsec?

[Wappie MD]

Sorry, I wasn't very clear on this :)
These packets I see dissappearing are incoming packets I'm trying to
nat from 10.47.. to 10.37..
After DNATting (and seeing them pass by on PREROUTING) I don't see
them passing FORWARD or INPUT in iptables.
I'm using leftsubnet=10.47.0.0/16

I'm on netkey 2.4.4 kernel 2.6.9. and think that this is a known issue?
Is there a patch I can use to update (netfilter?)
I'm on netfilter 1.2.1.1
Or was this already resolved in 2.4.4 netkey?

Muha

On 3/18/07, Paul Wouters <paul at xelerance.com> wrote:
> On Sat, 17 Mar 2007, Wappie MD wrote:
>
> > I tested it today: if I DNAT from 10.47.. to 10.47..
> > I do see packets passing through my FORWARD chain.
> > However if I DNAT from 10.47.. (= also my ipsec leftsubnet) to 10.37..
> > I _don't_ see packets passing through my FORWARD chain.
> > In both cases I _do_ see the packets coming in on PREROUTING DNAT.
> >
> > Is this intended behaviour? Is there any setting i can use in
> > ipsec.conf to pass the packets through FORWARD when I DNAT from
> > 10.47.. to 10.37.. whilst using leftsubnet is 10.47..
>
> I am not sure what you are trying to do. You can't NAT packets to
> IP addresses that are not defined in the ipsec connection, and then
> execpt them to be tunneled. IPsec tunnels have policies dictating
> which packets are allowed to go through. It's not a virtual ethernet.
>
> Paul
>


-- 
e·clec·tic (-klktk) adj. ~
An individual stroke play game comprising a defined number of rounds.
At the end of the series each of the competitors records his best
score of the series at each hole.