SNAT and IPSEC

Alexander Samad alex at samad.com.au
Thu Apr 14 07:05:56 CEST 2005


On Wed, Apr 13, 2005 at 06:50:37PM -0500, Taylor Grant wrote:
> >Couldn't he just SNAT the packets on his side when they become un-
> >encapsulated?  I'm doing this on a couple of my vpn links.
> 
> I don't think that you could just SNAT the packets that are on the way out 
> because as I understand it SNAT happens in nat:POSTROUTING *after* the 
> routing decision has been made.  I had originally thought that the IPSec 
> traffic did pass through IPTables a couple of times, once unencrypted and 
> then again encrypted.  But based on the LOG entries that he has presented 
> the traffic only passes through IPTables one time on it's way out, and a 
> couple of times on it's way in.  Seeing as how the traffic is only passing 
> through IPTables one time on it's way out, it is coming in to the system 
> from the LAN and immediately going in to the IPSec stack and being 
> encrypted and then sent out directly, leaving no chance for it to be SNATed 
> before it enters the IPSec stack.  Reportedly there are some kernel patches 
> to fix this issues thus causing the packets to traverse IPTables twice, 
> once unencrypted and once encrypted.  If the packets did indeed pass 
> through IPTables twice they could be SNATe
> d before they did enter the IPSec VPN.  The only caveat would be that the 
> IPSec VPN would have to be configured to allow traffic from the 10.3.3.x/24 
> network vs his 10.2.2.x/24 network, this would have to be done on both ends 
> too.

these pacthes exist in pom-ng and I believe have made it into 2.6.8 and
above (not sure about the entry version)

> 
> 
> 
> Grant. . . .
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter/attachments/20050414/f0807492/attachment.bin


More information about the netfilter mailing list