NAT with latest netfilter ipsec patches

All of lore.kernel.org
 help / color / mirror / Atom feed

* NAT with latest netfilter ipsec patches
@ 2005-11-19  0:58 Rolf Offermanns
  2005-11-19  7:27 ` Sorin Panca
  0 siblings, 1 reply; 3+ messages in thread
From: Rolf Offermanns @ 2005-11-19  0:58 UTC (permalink / raw)
  To: netfilter

Hi All!
I have tried to finally get NAT over IPSec working with Patricks last patches 
applied to 2.6.14.2 (+ UFO scatter-gather patch from git > 2.6.14).

Is this supposed to work?

I get as far as this:

172.20.0.0/14 <--> w.x.y.z <-~~~-> a.b.c.d <--> 192.168.0.1/ <--> 192.168.0.2
 REMOTE NET        VPN-GW   I-NET   DSL-        ROADWARRIOR          HOST B
                                   ROUTER     (V-IP:172.24.0.17)     

Host B has the following routing table entry:
route add -net 172.20.0.0 netmask 255.252.0.0 gw 192.168.0.1

ROADWARRIOR runs the kernel described above with strongswan-2.5.2 and the 
following iptables entry:

iptables -I POSTROUTING -t nat -d 172.20.0.0/14 -j SNAT \
	--to-source 172.24.0.17

If I run a ping 172.22.1.1 from HOST B,
tcpdump on the roadwarrior shows the following:

01:46:30.813959 IP 192.168.0.2 > 172.22.1.1: icmp 64: echo request seq 53
01:46:30.816474 IP 192.168.0.1.4500 > w.x.y.z.4500: UDP, length: 116
01:46:30.833995 IP w.x.y.z.4500 > 192.168.0.1.4500: UDP, length: 116
01:46:30.833995 IP 172.22.1.1 > 172.24.0.17: icmp 64: echo reply seq 53

But the reply packet never reaches HOST B.

Am I missing something?

Thanks,
Rolf

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: NAT with latest netfilter ipsec patches
  2005-11-19  0:58 NAT with latest netfilter ipsec patches Rolf Offermanns
@ 2005-11-19  7:27 ` Sorin Panca
  2005-11-19 10:13   ` Rolf Offermanns
  0 siblings, 1 reply; 3+ messages in thread
From: Sorin Panca @ 2005-11-19  7:27 UTC (permalink / raw)
  Cc: netfilter



Rolf Offermanns wrote:
> Hi All!

HI!

> Host B has the following routing table entry:
> route add -net 172.20.0.0 netmask 255.252.0.0 gw 192.168.0.1

the gateway must me on the same phisical network as the host: 172.24.0.17

> Thanks,
> Rolf

You are wellcome!


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: NAT with latest netfilter ipsec patches
  2005-11-19  7:27 ` Sorin Panca
@ 2005-11-19 10:13   ` Rolf Offermanns
  0 siblings, 0 replies; 3+ messages in thread
From: Rolf Offermanns @ 2005-11-19 10:13 UTC (permalink / raw)
  To: netfilter

On Saturday 19 November 2005 08:27, Sorin Panca wrote:
> Rolf Offermanns wrote:
> > Hi All!
>
> HI!
>
> > Host B has the following routing table entry:
> > route add -net 172.20.0.0 netmask 255.252.0.0 gw 192.168.0.1
>
> the gateway must me on the same phisical network as the host: 172.24.0.17

This is not the problem. The network between Host B and the gw is 
192.168.0.0/24. I want the gw to SNAT all packets to 172.20.0.0/14 to source 
ip 172.24.0.17 and this is the virtual IP address (strongswan feature 
leftsourceip) used in the tunnel.

The routing *is* working, my ping packets from Host B to a host in the remote 
network *do* reach the destination and the echo reply gets back to the gw, 
but it does not leave the gw, so without knowing the internals, I would say 
the "de-nating" fails.

-Rolf

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2005-11-19 10:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-19  0:58 NAT with latest netfilter ipsec patches Rolf Offermanns
2005-11-19  7:27 ` Sorin Panca
2005-11-19 10:13   ` Rolf Offermanns

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.