Iptables, nat, and IPSec

dave beach drbeach at rogers.com
Wed Apr 6 04:30:54 CEST 2005


Er, yes, SNATted. Silly fingers, won't type what's in my head.

I'll have a look at the link, but on the face of it the Linksys glossies
seem to say it should work just fine absent the iptables middleman - in
other words, the router doing DHCP on the "inside" with a class C private
net, and knowing how to route multiple IPSec passthrough connections to
their appropriate internal destinations.

That doesn't seem, at first glance, to square with "it's an IPSec problem" -
but maybe the Linksys documentation is... Optimistic. 

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Daniel Lopes
Sent: April 5, 2005 10:10 PM
To: netfilter at lists.netfilter.org
Subject: Re: Iptables, nat, and IPSec

dave beach schrieb:
> I have a class C private net behind both a dedicated linux/iptables 
> box and a Linksys BEFSR41 broadband router. Traffic outbound from the 
> iptables box to the router is DNATted to that machine's "external" 
> (but still private) IP by iptables, and NATted again by the router to ITS
external (public) IP.
> Everything works fine, except...
> 
> I need to be able to run two concurrent passthrough IPSec sessions 
> outbound through that configuration. Singly, they work fine. When run 
> concurrently, the second one to try and connect to the office VPN (the 
> IPSec requirement) fails.
> 
> Digging through Linksys documentation reveals that this particular 
> router will not support more than one passthrough IPSec session. 
> Before I go and drop money on a replacement router (such as the 
> BEFSX41), are there inherent limitations with iptables (or, probably 
> more accurately) with NAT/IPSec generally, that would render such a 
> purchase a waste of money in that it wouldn't solve my problem?
> 
> Of course, I COULD bypass the iptables box and plug the second 
> connecting device right into the (new) router, but I'd rather not do 
> that if I don't have to.
> 
> 
It´s an IPSec problem. I don´t want to go into detail but you probably
should try NAT-Traversal.
For the theory http://www.ipsec-howto.org/x180.html
And the outbound traffic from the linux box to the router probably is SNATed
;).




More information about the netfilter mailing list