[Openswan Users] Port redirection (DNAT/REDIRECT chains) performed on the IPsec Peer interface

rsg ranil.santhish at gmail.com
Tue Feb 19 05:34:20 EST 2008

This is a general question on a particular test performed(IPsec and
Transparent Proxy) using Openswan and Iptables.

[Peer 1-External IP] ========================== [Peer 2-External IP]
                                                         IPsec tunnel

Note: Peer to acts as a IPsec VPN peer as well as a Transparent proxy.

On Peer 2 Activate a DNAT or (TCP REDIRECT) rule for Transparent proxying

example: iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT
--to-destination is an internal interface listening on SMTP(TCP 25)

Once a TCP connection is initiated on any SMTP address e.g. smtp.yahoo.com

There is a new ESP packet generated from the address originated from
smtp.yahoo.com( towards Peer 1-External IP which in
turn drops as this is not intended.

eg: output of TCPDUMP related to this ESP packet origination:

11:04:24.757204 IP (tos 0x0, ttl  64, id 30507, offset 0, flags [DF],
proto: ESP (50), length: 112) > [Peer 1 External IP]:
ESP(spi=0x0019afce,seq=0x18ea), length 92

Eventually the smtp connection is not established and ip_conntrack
shows only  a SYN_RECV upon packet re-writing.

eg output of: # cat /proc/net/ip_conntrack

tcp	6	54	SYN_RECV src=[any Source IP] dst= sport=60712
dport=25 packets=1 bytes=60 src= dst=[any Source IP]
sport=25 dport=60712 packets=8 bytes=480 mark=0 use=1

How to avoid the originatation of new ESP packet from the unintended
host(DNATed SMTP host)? Is there a different approach to achieve this

Thanks in advance for your comments and suggestions.


More information about the Users mailing list