[Openswan Users] DNAT and ipsec?
Ales Klok
orrie at seznam.cz
Tue Mar 20 14:45:53 EDT 2007
Wappie MD wrote:
> Sorry, I wasn't very clear on this :)
> These packets I see dissappearing are incoming packets I'm trying to
> nat from 10.47.. to 10.37..
> After DNATting (and seeing them pass by on PREROUTING) I don't see
> them passing FORWARD or INPUT in iptables.
> I'm using leftsubnet=10.47.0.0/16
>
> I'm on netkey 2.4.4 kernel 2.6.9. and think that this is a known issue?
> Is there a patch I can use to update (netfilter?)
> I'm on netfilter 1.2.1.1
> Or was this already resolved in 2.4.4 netkey?
>
> Muha
>
If you want to use NETKEY get 2.6.12+ and if you want to use NAT to
tunnel packets then go for 2.6.16+. Also notice when using NETKEY
incoming ipsec packets appears on prerouting of the same iface twice
(once encrypted then decrypted, iface -> PREROUTING -> INPUT ->
[decrypt] -> PREROUTING -> INPUT/FORWARD). Please provide us with your
iptables rules. NATing incoming direction should work even on 2.6.9,
outgoing direction is another story and it is imposible to do so with
2.6.9 without some kernel patching. If you want to stick with 2.6.9 for
whatever reason you have then use KLIPS.
/ak
More information about the Users
mailing list