Taylor Grant gtaylor at
Thu Apr 14 01:50:37 CEST 2005

> Couldn't he just SNAT the packets on his side when they become un-
> encapsulated?  I'm doing this on a couple of my vpn links.

I don't think that you could just SNAT the packets that are on the way out because as I understand it SNAT happens in nat:POSTROUTING *after* the routing decision has been made.  I had originally thought that the IPSec traffic did pass through IPTables a couple of times, once unencrypted and then again encrypted.  But based on the LOG entries that he has presented the traffic only passes through IPTables one time on it's way out, and a couple of times on it's way in.  Seeing as how the traffic is only passing through IPTables one time on it's way out, it is coming in to the system from the LAN and immediately going in to the IPSec stack and being encrypted and then sent out directly, leaving no chance for it to be SNATed before it enters the IPSec stack.  Reportedly there are some kernel patches to fix this issues thus causing the packets to traverse IPTables twice, once unencrypted and once encrypted.  If the packets did indeed pass through IPTables twice they could be SNATe
d before they did enter the IPSec VPN.  The only caveat would be that the IPSec VPN would have to be configured to allow traffic from the 10.3.3.x/24 network vs his 10.2.2.x/24 network, this would have to be done on both ends too.

Grant. . . .

More information about the netfilter mailing list