ipsec NAT pass through rule(s)?
rabbtux rabbtux
rabbtux at gmail.com
Mon Dec 11 07:33:15 CET 2006
Cedric, I understand how to do nat to IPSEC ports and all others. My
question is about any special rules required so that the encrypted
ipsec TCP headers don't get mangled? I recall that parts of the TCP
header about the source address get encrypted and that this can break
the vpn through masqueraded (nat'ed ) connections.
On 12/10/06, Cedric Blancher <blancher at cartel-securite.fr> wrote:
> Le samedi 09 décembre 2006 à 15:47 -0800, rabbtux rabbtux a écrit :
> > Anyone have suggestions for a rule to allow IPsec packets to pass from
> > a NATed subnet?? I know linksys,dlink, et. all have a firewall
> > checkbox to alow ipsec vpns to work.
>
> IPSEC implies IP protocols 50 (ESP) and sometimes 51 (AH). Therefore,
> you have to handle them both. A (very) quick'n'dirty ESP NAT would be:
>
> iptables -t nat -A POSTROUTING -p 50 -j MASQUERADE
> iptables -A FORWARD -p 50 -j ACCEPT
>
> Now, just adapt this to your own situation and push some rules with
> subnet adresses, input and output interfaces, etc.
>
>
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!
>
More information about the netfilter
mailing list