[Openswan Users] netkey nat problem
Zhiping Liu
flyingzpl at gmail.com
Thu Jan 21 02:49:41 EST 2010
Thanks Paul.
As you mentioned,I just find out iptables have a ipsec policy module,insert
this rule:
iptables -t nat -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
before anything in nat postrouting.
--multiple -j RETURN statements for each remote network
if i add/delete a tunnel,i have to change the iptables rules,module policy
is cool...
Everything is ok now.
2010/1/21 Paul Wouters <paul at xelerance.com>
> On Thu, 21 Jan 2010, Zhiping Liu wrote:
>
> Hi list, i have setup up an ipsec tunnel with another gateway,using
>> NETKEY,my linux box access the internet
>> with an ADSL cable.so i have to enable MASQUERADE like this:
>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE.
>>
>> but with the nat rule,all package on my side never get into the ipsec
>> tunnel(but package from the other
>> side is fine),so i have to change my rule like this:
>>
>> iptables -t nat -A POSTROUTING -d ! PEER NETWORK -o ppp0 -j MASQUERADE
>> #PEER NETWORK set
>>
>> This is not good,because if i add another ipsec tunnel on my box ,i have
>> to change the nat rule,i wonder if
>> there is a way that i can tell iptables :
>> iptables -t nat -A POSTROUTING (NOT IPSEC PACKAGE) -o ppp0 -j MASQUERADE.
>>
>
> You can use multiple -j RETURN statements for each remote network,
> followed by -j MASQUERADE. Or you can use the ipsec policy matching
> (-m ipsec i believe?)
>
> Paul
>
--
from Romeo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100121/7687c789/attachment.html
More information about the Users
mailing list