[Openswan Users] netkey nat problem

Paul Wouters paul at xelerance.com
Thu Jan 21 00:29:58 EST 2010


On Thu, 21 Jan 2010, Zhiping Liu wrote:

> Hi list, i have setup up an ipsec tunnel with another gateway,using NETKEY,my linux box access the internet
> with an ADSL cable.so i have to enable MASQUERADE like this:
> iptables -t nat -A POSTROUTING  -o ppp0  -j MASQUERADE.
> 
> but with the nat rule,all package on my side never get into the ipsec tunnel(but package from the other
> side is fine),so i have to change my rule like this:
> 
> iptables -t nat -A POSTROUTING -d ! PEER NETWORK -o ppp0 -j MASQUERADE #PEER NETWORK set
> 
> This is not good,because if i add another ipsec tunnel on my box ,i have to change the nat rule,i wonder if
> there is a way that i can tell iptables :
> iptables -t nat -A POSTROUTING (NOT IPSEC PACKAGE)  -o ppp0 -j MASQUERADE.

You can use multiple -j RETURN statements for each remote network,
followed by -j MASQUERADE. Or you can use the ipsec policy matching
(-m ipsec i believe?)

Paul


More information about the Users mailing list