[Openswan Users] Port redirection (DNAT/REDIRECT chains) performed on the IPsec Peer interface
ranil.santhish at gmail.com
Tue Feb 19 05:34:20 EST 2008
This is a general question on a particular test performed(IPsec and
Transparent Proxy) using Openswan and Iptables.
[Peer 1-External IP] ========================== [Peer 2-External IP]
Note: Peer to acts as a IPsec VPN peer as well as a Transparent proxy.
On Peer 2 Activate a DNAT or (TCP REDIRECT) rule for Transparent proxying
example: iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT
192.168.200.1 is an internal interface listening on SMTP(TCP 25)
Once a TCP connection is initiated on any SMTP address e.g. smtp.yahoo.com
There is a new ESP packet generated from the address originated from
smtp.yahoo.com( 126.96.36.199) towards Peer 1-External IP which in
turn drops as this is not intended.
eg: output of TCPDUMP related to this ESP packet origination:
11:04:24.757204 IP (tos 0x0, ttl 64, id 30507, offset 0, flags [DF],
proto: ESP (50), length: 112) 188.8.131.52 > [Peer 1 External IP]:
ESP(spi=0x0019afce,seq=0x18ea), length 92
Eventually the smtp connection is not established and ip_conntrack
shows only a SYN_RECV upon packet re-writing.
eg output of: # cat /proc/net/ip_conntrack
tcp 6 54 SYN_RECV src=[any Source IP] dst=184.108.40.206 sport=60712
dport=25 packets=1 bytes=60 src=192.168.200.1 dst=[any Source IP]
sport=25 dport=60712 packets=8 bytes=480 mark=0 use=1
How to avoid the originatation of new ESP packet from the unintended
host(DNATed SMTP host)? Is there a different approach to achieve this
Thanks in advance for your comments and suggestions.
More information about the Users