Iptables, nat, and IPSec
drbeach at rogers.com
Wed Apr 6 04:30:54 CEST 2005
Er, yes, SNATted. Silly fingers, won't type what's in my head.
I'll have a look at the link, but on the face of it the Linksys glossies
seem to say it should work just fine absent the iptables middleman - in
other words, the router doing DHCP on the "inside" with a class C private
net, and knowing how to route multiple IPSec passthrough connections to
their appropriate internal destinations.
That doesn't seem, at first glance, to square with "it's an IPSec problem" -
but maybe the Linksys documentation is... Optimistic.
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Daniel Lopes
Sent: April 5, 2005 10:10 PM
To: netfilter at lists.netfilter.org
Subject: Re: Iptables, nat, and IPSec
dave beach schrieb:
> I have a class C private net behind both a dedicated linux/iptables
> box and a Linksys BEFSR41 broadband router. Traffic outbound from the
> iptables box to the router is DNATted to that machine's "external"
> (but still private) IP by iptables, and NATted again by the router to ITS
external (public) IP.
> Everything works fine, except...
> I need to be able to run two concurrent passthrough IPSec sessions
> outbound through that configuration. Singly, they work fine. When run
> concurrently, the second one to try and connect to the office VPN (the
> IPSec requirement) fails.
> Digging through Linksys documentation reveals that this particular
> router will not support more than one passthrough IPSec session.
> Before I go and drop money on a replacement router (such as the
> BEFSX41), are there inherent limitations with iptables (or, probably
> more accurately) with NAT/IPSec generally, that would render such a
> purchase a waste of money in that it wouldn't solve my problem?
> Of course, I COULD bypass the iptables box and plug the second
> connecting device right into the (new) router, but I'd rather not do
> that if I don't have to.
It´s an IPSec problem. I don´t want to go into detail but you probably
should try NAT-Traversal.
For the theory http://www.ipsec-howto.org/x180.html
And the outbound traffic from the linux box to the router probably is SNATed
More information about the netfilter