SNAT and IPSEC
lopsch at lopsch.com
Tue Apr 12 21:11:27 CEST 2005
Eduardo Spremolla schrieb:
> I have 2 local networks 10.2.2.0/24 and 10.37.130.0/24 interconnected by
> a ipsec tunnel running on kernel 2.6 native ipsec. So far so good.
> Now the admin of 10.37.130.0 wants me to NAT my network to 10.3.3.0
> because he had a ip conflict. I cant SNAT because when the packet goes
> to nat post it has been encapsulated in ESP and had the firewalls
> address, as you can see in the bottom log snipe.I try to use NETMAP in
> mangle PREROUTING, but it changes the dest ip , not the source.
> Is this possible?
> Thanks in advance for any clue.
According to http://www.shorewall.net/netmap.html, besides I don´t
really know how and when NETMAP interacts, it should work if you use an
Interface for IPSec like the alternative IPSec stack implemented by
FreeS/WAN. For the native stack I don´t know if it will work you will
need to know when it exactly interacts. It will probably only work when
implemented directly into the IPSec stack.
More information about the netfilter