[Openswan Users] netkey nat problem

Zhiping Liu flyingzpl at gmail.com
Thu Jan 21 00:06:28 EST 2010

Hi list, i have setup up an ipsec tunnel with another gateway,using
NETKEY,my linux box access the internet with an ADSL cable.so i have to
enable MASQUERADE like this:

iptables -t nat -A POSTROUTING  -o ppp0  -j MASQUERADE.

but with the nat rule,all package on my side never get into the ipsec
tunnel(but package from the other side is fine),so i have to change my rule
like this:

iptables -t nat -A POSTROUTING -d ! PEER NETWORK -o ppp0 -j MASQUERADE #PEER

This is not good,because if i add another ipsec tunnel on my box ,i have to
change the nat rule,i wonder if there is a way that i can tell iptables :
iptables -t nat -A POSTROUTING (NOT IPSEC PACKAGE)  -o ppp0 -j MASQUERADE.

In fact,i think iptables can not handle this ,it seems that xfrm policy is
done after iptables nat POSTROUTING hook,so we can not tell if it is an
ipsec package or not in nat POSTROUTING table.

I just want a simple rule to tells the kernel,DO NOT MASQUERADE on these
packages,but i don't want to set the destination address.

Any advice is appreciate.
from Romeo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100121/cc06acab/attachment.html 

More information about the Users mailing list