From: Jorge Davila <davila@nicaraguaopensource.com>
To: noa levy <noalevy@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: SNAT before IPSec
Date: Tue, 05 Jun 2007 16:59:28 -0600 [thread overview]
Message-ID: <web-17534558@bk3.webmaillogin.com> (raw)
In-Reply-To: <8bd3dfad0706051540t626bf02fk15e20eace4818b3e@mail.gmail.com>
Uhm ... well, may another approach works.
But, why reports another source IP address to the remote internal network???
Jorge Davila.
On Wed, 6 Jun 2007 01:40:34 +0300
"noa levy" <noalevy@gmail.com> wrote:
> Yes, I want to change the source IP address of the original IP packet
> before encryption.
>
> On 6/6/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> OK - Let me now if I'm wrong ...
>>
>> Are you trying to modify the source address of the packet before the
>>packet
>> gets encryption?
>>
>> Jorge.
>>
>> On Wed, 6 Jun 2007 00:29:51 +0300
>> "noa levy" <noalevy@gmail.com> wrote:
>> > Thanks for all the help so far.
>> > Jorge - I'm actually using the native 2.6 kernel ipsec (netkey) and
>> > not KLIPS, so I don't have the "ipsecN" virtual interfaces and can't
>> > use that.
>> > In response to Grant's reply - I think I have a problem, since I'm
>> > using the 2.6.10 kernel (can't upgrade anytime soon). Can anyone point
>> > me to where I can find the relevant ipsec patches that enable the
>> > double passage through netfilter hooks?
>> > Thanks,
>> > Noa
>> >
>> > On 6/5/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> >> I'm guessing that you can use the "normal" approach and apply the SNAT
>> >>rules
>> >> to the outgoing traffic flowing in the ipsec interfaces.
>> >>
>> >> The ipsec encryption algorithm is a kernel space tool and iptables is a
>> >>user
>> >> space tool to the netfilter kernel module.
>> >>
>> >> All traffic that pass the POSTROUTING chain in the NAT table is leaving
>> >>the
>> >> firewall box (through a physical interface e.g.:eth0 or through a
>>virtual
>> >> interface e.g.:ipsec0).
>> >>
>> >> Jorge Davila..
>> >>
>> >> On Tue, 5 Jun 2007 15:29:47 +0300
>> >> "noa levy" <noalevy@gmail.com> wrote:
>> >> > Hi All,
>> >> >
>> >> > I have a setup where I need to SNAT traffic that will be going out
>>via
>> >> > an IPSec tunnel. The NAT must take place before the IPSec
>> >> > encryption+encapsulation, so I need the packet to first go through
>> >> > SNAT and then match an IPSec policy. After being IPSec-ified, I need
>> >> > the packets to go through routing again.
>> >> > My question:
>> >> > SNAT takes place in POST_ROUTING. Can IPSec be applied after that? I
>> >> > have read that after IPSec the packet gets injected to LOCAL_OUT
>> >> > again, but when does the actual IPSec policy decision take place?
>> >> > Won't it happen *before* SNAT? Can I control it?
>> >> >
>> >> > Thanks,
>> >> > Noa
>> >> >
>> >> >
>> >>
>> >> Jorge Isaac Davila Lopez
>> >> Nicaragua Open Source
>> >> +505 430 5462
>> >> davila@nicaraguaopensource.com
>> >>
>> >
>>
>> Jorge Isaac Davila Lopez
>> Nicaragua Open Source
>> +505 430 5462
>> davila@nicaraguaopensource.com
>>
>
Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com
next prev parent reply other threads:[~2007-06-05 22:59 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-05 12:29 SNAT before IPSec noa levy
2007-06-05 12:56 ` Yasuyuki KOZAKAI
2007-06-05 14:36 ` Grant Taylor
2007-06-05 20:15 ` Jorge Davila
2007-06-05 20:28 ` Grant Taylor
2007-06-05 20:45 ` Jorge Davila
2007-06-05 23:53 ` Grant Taylor
2007-06-06 15:39 ` Jorge Davila
2007-06-06 18:48 ` Grant Taylor
2007-06-05 21:29 ` noa levy
2007-06-05 22:40 ` Jorge Davila
2007-06-05 22:40 ` noa levy
2007-06-05 22:59 ` Jorge Davila [this message]
2007-06-05 23:05 ` noa levy
2007-06-06 15:47 ` Jorge Davila
2007-06-07 15:40 ` noa levy
2007-06-07 16:36 ` Jorge Davila
2007-06-07 17:07 ` Grant Taylor
2007-06-07 18:03 ` Grant Taylor
2007-06-07 20:57 ` Jorge Davila
2007-06-08 17:57 ` Grant Taylor
2007-06-05 22:43 ` Jorge Davila
-- strict thread matches above, loose matches on Subject: below --
2007-06-04 22:43 noa levy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=web-17534558@bk3.webmaillogin.com \
--to=davila@nicaraguaopensource.com \
--cc=netfilter@lists.netfilter.org \
--cc=noalevy@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.