[Openswan Users] DNAT and ipsec?

Ales Klok orrie at seznam.cz
Tue Mar 20 14:45:53 EDT 2007


Wappie MD wrote:
> Sorry, I wasn't very clear on this :)
> These packets I see dissappearing are incoming packets I'm trying to
> nat from 10.47.. to 10.37..
> After DNATting (and seeing them pass by on PREROUTING) I don't see
> them passing FORWARD or INPUT in iptables.
> I'm using leftsubnet=10.47.0.0/16
>
> I'm on netkey 2.4.4 kernel 2.6.9. and think that this is a known issue?
> Is there a patch I can use to update (netfilter?)
> I'm on netfilter 1.2.1.1
> Or was this already resolved in 2.4.4 netkey?
>
> Muha
>   
If you want to use NETKEY get 2.6.12+ and if you want to use NAT to 
tunnel packets then go for 2.6.16+. Also notice when using NETKEY 
incoming ipsec packets appears on prerouting of the same iface twice 
(once encrypted then decrypted, iface -> PREROUTING -> INPUT -> 
[decrypt] -> PREROUTING -> INPUT/FORWARD). Please provide us with your 
iptables rules. NATing incoming direction should work even on 2.6.9, 
outgoing direction is another story and it is imposible to do so with 
2.6.9 without some kernel patching. If you want to stick with 2.6.9 for 
whatever reason you have then use KLIPS.
/ak


More information about the Users mailing list