[Openswan Users] DNAT and ipsec?

Paul Wouters paul at xelerance.com
Tue Mar 20 16:23:25 EDT 2007

On Tue, 20 Mar 2007, Scott Miller wrote:

> First a disclaimer, I'm not an Openswan guru, so it's possible I'm way
> off base. But, as a network/systems guy, it would seem to me that if the
> packet has hit the firewall rules, NETKEY should have already given
> control of that packet to the kernel, and the kernel has passed control
> to the firewall rules, so now it should be controlled by those firewall
> rules.

If only NETKEY worked that cleanly.... right now, even tcpdump cannot see
all the packets that pass through it. Simmilarly, not all tables see these
packets either.


More information about the Users mailing list