[Openswan Users] netkey nat problem
Paul Wouters
paul at xelerance.com
Thu Jan 21 00:29:58 EST 2010
On Thu, 21 Jan 2010, Zhiping Liu wrote:
> Hi list, i have setup up an ipsec tunnel with another gateway,using NETKEY,my linux box access the internet
> with an ADSL cable.so i have to enable MASQUERADE like this:
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE.
>
> but with the nat rule,all package on my side never get into the ipsec tunnel(but package from the other
> side is fine),so i have to change my rule like this:
>
> iptables -t nat -A POSTROUTING -d ! PEER NETWORK -o ppp0 -j MASQUERADE #PEER NETWORK set
>
> This is not good,because if i add another ipsec tunnel on my box ,i have to change the nat rule,i wonder if
> there is a way that i can tell iptables :
> iptables -t nat -A POSTROUTING (NOT IPSEC PACKAGE) -o ppp0 -j MASQUERADE.
You can use multiple -j RETURN statements for each remote network,
followed by -j MASQUERADE. Or you can use the ipsec policy matching
(-m ipsec i believe?)
Paul
More information about the Users
mailing list