From mboxrd@z Thu Jan 1 00:00:00 1970 From: G Georgiev Date: Fri, 12 May 2006 02:28:44 +0000 Subject: Re: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools? Message-Id: <200605112228.44022.subscriptions@navig.ca> List-Id: References: <200605031322.30125.subscriptions@navig.ca> In-Reply-To: <200605031322.30125.subscriptions@navig.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org =A0=A0=A0=A0=A0=A0=A0OK, =A0=A0=A0=A0=A0=A0=A0=A0Found a solution - if some is interested - assigned= the near end of=20 the IPSEC tunnel address to the internal interface; this way got a=20 POSTROUTING chain available and did an SNAT there: ip addr add 10.253.0.2 dev eth0; ip route add to unicast 192.168.4.0/24 via 10.253.0.2 iptables -t nat -A POSTROUTING -d 192.168.4.0/24 -j SNAT --to 10.253.0.2 =A0=A0=A0=A0=A0=A0=A0=A0Looks to work just fine, despite being not so 'clea= n' - I would prefer=20 to have a separate interface for the VPN, not to assign an alias to eth0.=20 Does not work with lo instead of eth0. =A0=A0=A0=A0=A0=A0=A0=A0George. On Thursday 11 May 2006 11:01 am, G Georgiev wrote: > Could you (or someone else on the list) just tell me how this can be done > with the netfilter? I could not find a way for it. I am with kernel > 2.6.16-14 > > now. The problem, again: > > Could not conceive an working set-up for an IPSEC VPN made with > > racoon/setkey on which I have one address on my side acting as an SNAT > > router for all traffic from my network to a network segment on the far > > side. > > > > my network --- my gateway ---------------------- remote network > > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 > > > > The VPN starts on the gateway, simply all traffic destinate to > > 192.168.0.0/22 should get an SNAT to 10.253.0.2 and go via the tunnel. > > SNAT however is available only in POSTROUTING chain, and no outgoing > > interface really exists with setkey. > > > > So, next rule should be implemented on the gateway: "Packets going > > to 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" > > George. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc