[Openswan Users] DNAT and ipsec?

Scott Miller Scott.Miller at prioritytech.com
Tue Mar 20 10:30:36 EDT 2007 

First a disclaimer, I'm not an Openswan guru, so it's possible I'm way
off base. But, as a network/systems guy, it would seem to me that if the
packet has hit the firewall rules, NETKEY should have already given
control of that packet to the kernel, and the kernel has passed control
to the firewall rules, so now it should be controlled by those firewall
rules.

If the above is an accurate description of what is actually going on, I
would look hard at the filtering/output areas to ensure the packet isn't
being dropped.

-Scott

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Ruben Laban
Sent: Tuesday, March 20, 2007 2:49 AM
To: users at openswan.org
Subject: Re: [Openswan Users] DNAT and ipsec?

AFAIK the problem is with NETKEY, not iptables. KLIPS has much better
support 
for DNAT/SNAT. Last time I checked, using DNAT/SNAT combined with NETKEY
was 
discouraged. If you want to use NAT for tunneled traffic, you probably
want 
to move to the KLIPS stack.

Ruben

On Monday 19 March 2007, Wappie MD wrote:
> Sorry, I wasn't very clear on this :)
> These packets I see dissappearing are incoming packets I'm trying to
> nat from 10.47.. to 10.37..
> After DNATting (and seeing them pass by on PREROUTING) I don't see
> them passing FORWARD or INPUT in iptables.
> I'm using leftsubnet=10.47.0.0/16
> 
> I'm on netkey 2.4.4 kernel 2.6.9. and think that this is a known
issue?
> Is there a patch I can use to update (netfilter?)
> I'm on netfilter 1.2.1.1
> Or was this already resolved in 2.4.4 netkey?
> 
> Muha
> 
> On 3/18/07, Paul Wouters <paul at xelerance.com> wrote:
> > On Sat, 17 Mar 2007, Wappie MD wrote:
> >
> > > I tested it today: if I DNAT from 10.47.. to 10.47..
> > > I do see packets passing through my FORWARD chain.
> > > However if I DNAT from 10.47.. (= also my ipsec leftsubnet) to
10.37..
> > > I _don't_ see packets passing through my FORWARD chain.
> > > In both cases I _do_ see the packets coming in on PREROUTING DNAT.
> > >
> > > Is this intended behaviour? Is there any setting i can use in
> > > ipsec.conf to pass the packets through FORWARD when I DNAT from
> > > 10.47.. to 10.37.. whilst using leftsubnet is 10.47..
> >
> > I am not sure what you are trying to do. You can't NAT packets to
> > IP addresses that are not defined in the ipsec connection, and then
> > execpt them to be tunneled. IPsec tunnels have policies dictating
> > which packets are allowed to go through. It's not a virtual
ethernet.
> >
> > Paul
> >
> 
> 
> -- 
> e*clec*tic (-klktk) adj. ~
> An individual stroke play game comprising a defined number of rounds.
> At the end of the series each of the competitors records his best
> score of the series at each hole.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list