SNAT and IPSEC

Daniel Lopes lopsch at lopsch.com
Wed Apr 13 18:00:37 CEST 2005


Eduardo Spremolla schrieb:
> How can I know if the patches are in my version:
> 
> kernel 		2.6.10-1.771_FC2
> iptables 	1.2.9-2.3.1
> ipsec-tools 	0.5-2.fc2
> 
> I will test it. I did not set the POSTROUTING SNAT rule, since I
> understand make no sense in the ESP packet.
> 
> Thanks for the clue.
> 
> LALO
> 
> On Wed, 2005-04-13 at 10:58 -0400, Jason Opperisano wrote:
> 
>>On Tue, Apr 12, 2005 at 03:08:12PM -0300, Eduardo Spremolla wrote:
>>
>>>I have 2 local networks 10.2.2.0/24 and 10.37.130.0/24 interconnected by
>>>a ipsec tunnel running on kernel 2.6 native ipsec. So far so good.
>>>
>>>Now the admin of 10.37.130.0 wants me to NAT my network to 10.3.3.0
>>>because he had a ip conflict. I cant SNAT because when the packet goes
>>>to nat post it has been encapsulated in ESP and had the firewalls
>>>address, as you can see in the bottom log snipe.I try to use NETMAP in
>>>mangle PREROUTING, but it changes the dest ip , not the source.
>>>
>>>Is this possible?
>>>
>>>Thanks in advance for any clue.
>>
>>dunno if this will help or not; as i have lost my test lab, but have you
>>applied the ipsec patches from PoM:
>>
>>  ipsec-01-output-hooks
>>  ipsec-02-input-hooks
>>  ipsec-03-policy-lookup
>>  ipsec-04-policy-checks
>>
>>it is my understanding that these patches make packets traverse the
>>netfilter hooks twice:  once clear, and again encrypted.
>>
>>-j
>>
>>--
>>"Peter: I call it... Petoria. I was going to call it Peterland,
>> but that gay bar by the airport took it."
>>        --Family Guy
>>
> 
> 
> 
> Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información.
> . . . . . . . . .
> This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender inmediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that not is the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.
> 
> 

Yes try the patches that should. Because in my understandig normally the 
  packets pass a chain only once encrypted or plain. This is so because 
of the IPSec hooks within the Netfilter hooks and how they work. So 
patching could also it complicates the IPSec handling for the kernel but 
as long as it is transparent to the user ;).



More information about the netfilter mailing list