[Openswan Users] Port redirection (DNAT/REDIRECT chains) performed on the IPsec Peer interface

rsg ranil.santhish at gmail.com
Thu Feb 28 05:55:15 EST 2008 

Hi,

So these are the observations made with further testing. This appears
to be kernel related and off the topic of Openswan.

According to my observations; for Kernel 2.6.15
Netfilter/IPsec(ESP)policy support is either buggy or it does not have
the expected feature support by default.

I've tested with 2.6.18 and it was successful.

FYI pls.

rsg.



On Tue, Feb 19, 2008 at 11:34 AM, rsg <ranil.santhish at gmail.com> wrote:
> This is a general question on a particular test performed(IPsec and
>  Transparent Proxy) using Openswan and Iptables.
>
>
>  [Peer 1-External IP] ========================== [Peer 2-External IP]
>                                                          IPsec tunnel
>
>
>  Note: Peer to acts as a IPsec VPN peer as well as a Transparent proxy.
>
>  On Peer 2 Activate a DNAT or (TCP REDIRECT) rule for Transparent proxying
>
>  example: iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT
>  --to-destination 192.168.200.1
>
>  192.168.200.1 is an internal interface listening on SMTP(TCP 25)
>
>  Once a TCP connection is initiated on any SMTP address e.g. smtp.yahoo.com
>
>  There is a new ESP packet generated from the address originated from
>  smtp.yahoo.com( 216.145.54.171) towards Peer 1-External IP which in
>  turn drops as this is not intended.
>
>  eg: output of TCPDUMP related to this ESP packet origination:
>
>  11:04:24.757204 IP (tos 0x0, ttl  64, id 30507, offset 0, flags [DF],
>  proto: ESP (50), length: 112) 216.145.54.171 > [Peer 1 External IP]:
>  ESP(spi=0x0019afce,seq=0x18ea), length 92
>
>  Eventually the smtp connection is not established and ip_conntrack
>  shows only  a SYN_RECV upon packet re-writing.
>
>
>
>  eg output of: # cat /proc/net/ip_conntrack
>
>  tcp     6       54      SYN_RECV src=[any Source IP] dst=216.145.54.171 sport=60712
>  dport=25 packets=1 bytes=60 src=192.168.200.1 dst=[any Source IP]
>  sport=25 dport=60712 packets=8 bytes=480 mark=0 use=1
>
>  How to avoid the originatation of new ESP packet from the unintended
>  host(DNATed SMTP host)? Is there a different approach to achieve this
>  envionment?
>
>
>  Thanks in advance for your comments and suggestions.
>
>  rsg
>

More information about the Users mailing list