[Openswan Users] Ipsec passthrough on linux
hiren joshi
joshihirenn at gmail.com
Mon Dec 8 05:08:23 EST 2008
This is perhaps more relevant to netfilter.
How can I enable/install ipsec passthrough feature in a Linux box?
I have read an old post at:
http://lists.openswan.org/pipermail/users/2008-August/015102.html
-----------------------------
On Thu, 14 Aug 2008, Felipe - Rasputin wrote:
> iptables -t nat -I POSTROUTING -s $IP_1 -p esp -j MASQUERADE
> iptables -t nat -I POSTROUTING -s $IP_2 -p esp -j MASQUERADE
> iptables -t nat -I POSTROUTING -s $IP_1 -p ah -j MASQUERADE
> iptables -t nat -I POSTROUTING -s $IP_2 -p ah -j MASQUERADE
You cannot rewrite (via masquerade) ipsec packets. You must use -j ACCEPT.
If you're behind NAT, let NAT-T do its work and encapsulate with udp 4500
Paul
-----------------------------
But I want to talk to a legacy system that do not support NAT-T.
Currently multiple connections to a Openswan VPN server behind same
NATbox fails as ESP do not provide any hook (as port numbers in the
case of udp/tcp) to demultiplexe them.
Thanks for your time.
-hiren
More information about the Users
mailing list