SNAT and IPSEC

Eduardo Spremolla edspremolla at antel.com.uy
Wed Apr 13 17:45:51 CEST 2005


How can I know if the patches are in my version:

kernel 		2.6.10-1.771_FC2
iptables 	1.2.9-2.3.1
ipsec-tools 	0.5-2.fc2

I will test it. I did not set the POSTROUTING SNAT rule, since I
understand make no sense in the ESP packet.

Thanks for the clue.

LALO

On Wed, 2005-04-13 at 10:58 -0400, Jason Opperisano wrote:
> On Tue, Apr 12, 2005 at 03:08:12PM -0300, Eduardo Spremolla wrote:
> > I have 2 local networks 10.2.2.0/24 and 10.37.130.0/24 interconnected by
> > a ipsec tunnel running on kernel 2.6 native ipsec. So far so good.
> > 
> > Now the admin of 10.37.130.0 wants me to NAT my network to 10.3.3.0
> > because he had a ip conflict. I cant SNAT because when the packet goes
> > to nat post it has been encapsulated in ESP and had the firewalls
> > address, as you can see in the bottom log snipe.I try to use NETMAP in
> > mangle PREROUTING, but it changes the dest ip , not the source.
> > 
> > Is this possible?
> > 
> > Thanks in advance for any clue.
> 
> dunno if this will help or not; as i have lost my test lab, but have you
> applied the ipsec patches from PoM:
> 
>   ipsec-01-output-hooks
>   ipsec-02-input-hooks
>   ipsec-03-policy-lookup
>   ipsec-04-policy-checks
> 
> it is my understanding that these patches make packets traverse the
> netfilter hooks twice:  once clear, and again encrypted.
> 
> -j
> 
> --
> "Peter: I call it... Petoria. I was going to call it Peterland,
>  but that gay bar by the airport took it."
>         --Family Guy
> 


Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información.
. . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender inmediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that not is the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.



More information about the netfilter mailing list