Re: Iptables, nat, and IPSec

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel Lopes <lopsch@lopsch.com>
To: netfilter@lists.netfilter.org
Subject: Re: Iptables, nat, and IPSec
Date: Wed, 06 Apr 2005 04:10:11 +0200	[thread overview]
Message-ID: <42534503.2070801@lopsch.com> (raw)
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAqrTb2LYes02Oflamihm4w8KAAAAQAAAA4U2BieFWiUege5oTSkUNnQEAAAAA@rogers.com>

dave beach schrieb:
> I have a class C private net behind both a dedicated linux/iptables box and
> a Linksys BEFSR41 broadband router. Traffic outbound from the iptables box
> to the router is DNATted to that machine's "external" (but still private) IP
> by iptables, and NATted again by the router to ITS external (public) IP.
> Everything works fine, except...
> 
> I need to be able to run two concurrent passthrough IPSec sessions outbound
> through that configuration. Singly, they work fine. When run concurrently,
> the second one to try and connect to the office VPN (the IPSec requirement)
> fails.
> 
> Digging through Linksys documentation reveals that this particular router
> will not support more than one passthrough IPSec session. Before I go and
> drop money on a replacement router (such as the BEFSX41), are there inherent
> limitations with iptables (or, probably more accurately) with NAT/IPSec
> generally, that would render such a purchase a waste of money in that it
> wouldn't solve my problem?
> 
> Of course, I COULD bypass the iptables box and plug the second connecting
> device right into the (new) router, but I'd rather not do that if I don't
> have to.
> 
> 
It´s an IPSec problem. I don´t want to go into detail but you probably 
should try NAT-Traversal.
For the theory http://www.ipsec-howto.org/x180.html
And the outbound traffic from the linux box to the router probably is 
SNATed ;).

next prev parent reply	other threads:[~2005-04-06  2:10 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-06  1:47 Iptables, nat, and IPSec dave beach
2005-04-06  2:10 ` Daniel Lopes [this message]
2005-04-06  2:30   ` dave beach
2005-04-06 11:10     ` dave beach
2005-04-06 11:42       ` John A. Sullivan III
2005-04-06 17:03       ` Daniel Lopes
2005-04-06 22:42         ` dave beach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42534503.2070801@lopsch.com \
    --to=lopsch@lopsch.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.