[Openswan Users] netkey nat problem

Zhiping Liu flyingzpl at gmail.com
Thu Jan 21 02:49:41 EST 2010

Thanks Paul.

As you mentioned,I just find out iptables have a ipsec policy module,insert
this rule:
iptables -t nat -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
before anything in nat postrouting.

--multiple -j RETURN statements for each remote network
if i add/delete a tunnel,i have to change the iptables rules,module policy
is cool...
Everything is ok now.

2010/1/21 Paul Wouters <paul at xelerance.com>

> On Thu, 21 Jan 2010, Zhiping Liu wrote:
>  Hi list, i have setup up an ipsec tunnel with another gateway,using
>> NETKEY,my linux box access the internet
>> with an ADSL cable.so i have to enable MASQUERADE like this:
>> iptables -t nat -A POSTROUTING  -o ppp0  -j MASQUERADE.
>> but with the nat rule,all package on my side never get into the ipsec
>> tunnel(but package from the other
>> side is fine),so i have to change my rule like this:
>> iptables -t nat -A POSTROUTING -d ! PEER NETWORK -o ppp0 -j MASQUERADE
>> This is not good,because if i add another ipsec tunnel on my box ,i have
>> to change the nat rule,i wonder if
>> there is a way that i can tell iptables :
>> iptables -t nat -A POSTROUTING (NOT IPSEC PACKAGE)  -o ppp0 -j MASQUERADE.
> You can use multiple -j RETURN statements for each remote network,
> followed by -j MASQUERADE. Or you can use the ipsec policy matching
> (-m ipsec i believe?)
> Paul

from Romeo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100121/7687c789/attachment.html 

More information about the Users mailing list