[Openswan Users] DNAT and ipsec?

Ruben Laban r.laban at ism.nl
Tue Mar 20 03:49:23 EDT 2007 

AFAIK the problem is with NETKEY, not iptables. KLIPS has much better support 
for DNAT/SNAT. Last time I checked, using DNAT/SNAT combined with NETKEY was 
discouraged. If you want to use NAT for tunneled traffic, you probably want 
to move to the KLIPS stack.

Ruben

On Monday 19 March 2007, Wappie MD wrote:
> Sorry, I wasn't very clear on this :)
> These packets I see dissappearing are incoming packets I'm trying to
> nat from 10.47.. to 10.37..
> After DNATting (and seeing them pass by on PREROUTING) I don't see
> them passing FORWARD or INPUT in iptables.
> I'm using leftsubnet=10.47.0.0/16
> 
> I'm on netkey 2.4.4 kernel 2.6.9. and think that this is a known issue?
> Is there a patch I can use to update (netfilter?)
> I'm on netfilter 1.2.1.1
> Or was this already resolved in 2.4.4 netkey?
> 
> Muha
> 
> On 3/18/07, Paul Wouters <paul at xelerance.com> wrote:
> > On Sat, 17 Mar 2007, Wappie MD wrote:
> >
> > > I tested it today: if I DNAT from 10.47.. to 10.47..
> > > I do see packets passing through my FORWARD chain.
> > > However if I DNAT from 10.47.. (= also my ipsec leftsubnet) to 10.37..
> > > I _don't_ see packets passing through my FORWARD chain.
> > > In both cases I _do_ see the packets coming in on PREROUTING DNAT.
> > >
> > > Is this intended behaviour? Is there any setting i can use in
> > > ipsec.conf to pass the packets through FORWARD when I DNAT from
> > > 10.47.. to 10.37.. whilst using leftsubnet is 10.47..
> >
> > I am not sure what you are trying to do. You can't NAT packets to
> > IP addresses that are not defined in the ipsec connection, and then
> > execpt them to be tunneled. IPsec tunnels have policies dictating
> > which packets are allowed to go through. It's not a virtual ethernet.
> >
> > Paul
> >
> 
> 
> -- 
> e·clec·tic (-klktk) adj. ~
> An individual stroke play game comprising a defined number of rounds.
> At the end of the series each of the competitors records his best
> score of the series at each hole.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list