PREROUTING, DNAT and IPSEC

danci at agenda.si danci at agenda.si
Mon Apr 18 12:53:31 CEST 2005


Hi!

I have three networks which are connected via IPSEC. One of them is 
'primary' - that means it is used for all incoming stuff (mail, web, ...), 
the other are 'remote'.

I need to allow some clients to connect to specific hosts inside of those 
networks - two TCP connections in each network.

Since I'd like to keep things centralised and network performance is not a 
huge issue, I was going to do a PREROUTING DNAT for those connection, 
using unique listening ports and DNAT-ing them to three internal IPs - one 
of them is in the 'primary' network, the other two are on the 'remote' 
networks.

While this works fine for the IP in the 'primary' network, it doesn't work 
for the other two. I guess it has something to do with IPSEC, but I can't 
figure it out.

Any ideas?

  Danilo

PS: The 'primary' IPSEC server is SuSE 9.1 with 2.6.5 kernel and 
freeswan-2.04_1.5.4 installed - it has no ipsec0 interface. The other 
IPSEC machines have older distibtutions, kernel and freeswan (1.91_0.9.1 
in one case).



More information about the netfilter mailing list