From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Date: Fri, 05 May 2006 13:39:29 +0000 Subject: Re: [LARTC] SNAT on IPSEC tunnel with kernel 2.6/KAME tools? Message-Id: <445B5591.3080404@trash.net> List-Id: References: <200605031322.30125.subscriptions@navig.ca> In-Reply-To: <200605031322.30125.subscriptions@navig.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org G Georgiev wrote: > Hi, > > Could not conceive an working set-up for an IPSEC VPN made with racoon/setkey > on which I have one address on my side acting as an SNAT router for all > traffic from my network to a network segment on the far side. > > my network --- my gateway ---------------------- remote network > 10.0.0.0/24 - 10.0.0.1 (10.253.0.2) -- tunnel - 192.168.0.0/22 > > All traffic starts on my side, so if I can SNAT/MASQUERADE packets to the > tunnel address (10.253.0.2) it shall work. This would have been possible with > FreeSwan, as it created network interfaces (ipsec0, ipsec1..), however with > setkey there is no way of making it. > > The VPN starts on the gateway, simply all traffic destinate to 192.168.0.0/22 > should get an SNAT to 10.253.0.2 and go via the tunnel. SNAT however is > available only in POSTROUTING chain, and no outgoing interface really exists > with setkey. > > So, next rule should be implemented on the gateway: "Packets going to > 192.168.0.0/22 should be SNAT to 10.253.0.2 and go via the tunnel" > > Some ideas? Starting with 2.6.16 the kernel supports NAT with IPsec and includes a "policy" match, which allows you to do similar things like the "-o ipsec0" matching done with klips. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc