[Openswan Users] How to identify esp traffic with iptables when it is SNATed?
Brad Johnson
bjohnson at astrocorp.com
Tue Oct 21 17:48:38 EDT 2008
I can not figure out how to correctly match ESP traffic when the traffic
is Source NAT'ed.
For traffic that is not SNAT'ed, a rule like this matches correctly:
iptables -t mangle -A POSTROUTING -p esp -o eth0 -d <remote-ip> -j
DO_SOME_STUFF
But apparently the traffic is not yet encapsulated in mangle POSTROUTING
(or nat POSTROUTING) when it is going to be SNAT'ed.
I also tried this policy match, which also does not work for SNAT:
iptables -t mangle -A POSTROUTING -o eth0 -m policy --dir out --pol
ipsec --mode tunnel --tunnel-src <local-ip> --tunnel-dst <remote-ip> -j
DO_SOME_STUFF
We are running OpenSwan on a Gentoo 2.6.24 kernel (NetKey) on our
gateway. We have the problem with traffic coming from one of our LAN's
and going out the tunnel. We are not specifying a leftsubnet in our
ipsec.conf file.
Any help would be appreciated.
Brad Johnson
More information about the Users
mailing list