From: Jorge Davila <davila@nicaraguaopensource.com>
To: gtaylor+reply@riverviewtech.net,
Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: SNAT before IPSec
Date: Tue, 05 Jun 2007 14:45:05 -0600 [thread overview]
Message-ID: <web-74831651@bk1.webmaillogin.com> (raw)
In-Reply-To: <4665C771.4040609@riverviewtech.net>
Well Grant, the IPSec standard [1] said:
For every IPsec implementation, there MUST be an administrative
interface that allows a user or system administrator to manage the
SPD. Specifically, every inbound or outbound packet is subject to
processing by IPsec and the SPD must specify what action will be
taken in each case. Thus the administrative interface must allow the
user (or system administrator) to specify the security processing to
be applied to any packet entering or exiting the system, on a packet
by packet basis.
Best regards,
Jorge Davila.
[1] http://www.ietf.org/rfc/rfc2401.txt
On Tue, 05 Jun 2007 15:28:33 -0500
Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 06/05/07 15:15, Jorge Davila wrote:
>> I'm guessing that you can use the "normal" approach and apply the SNAT
>> rules to the outgoing traffic flowing in the ipsec interfaces.
>
> ...
>
>> All traffic that pass the POSTROUTING chain in the NAT table is leaving
>> the firewall box (through a physical interface e.g.:eth0 or through a
>> virtual interface e.g.:ipsec0).
>
> Um, correct me if I'm wrong, but not all IPSec implementations create an
>interface any more.
>
>
>
> Grant. . . .
>
>
Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com
next prev parent reply other threads:[~2007-06-05 20:45 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-05 12:29 SNAT before IPSec noa levy
2007-06-05 12:56 ` Yasuyuki KOZAKAI
2007-06-05 14:36 ` Grant Taylor
2007-06-05 20:15 ` Jorge Davila
2007-06-05 20:28 ` Grant Taylor
2007-06-05 20:45 ` Jorge Davila [this message]
2007-06-05 23:53 ` Grant Taylor
2007-06-06 15:39 ` Jorge Davila
2007-06-06 18:48 ` Grant Taylor
2007-06-05 21:29 ` noa levy
2007-06-05 22:40 ` Jorge Davila
2007-06-05 22:40 ` noa levy
2007-06-05 22:59 ` Jorge Davila
2007-06-05 23:05 ` noa levy
2007-06-06 15:47 ` Jorge Davila
2007-06-07 15:40 ` noa levy
2007-06-07 16:36 ` Jorge Davila
2007-06-07 17:07 ` Grant Taylor
2007-06-07 18:03 ` Grant Taylor
2007-06-07 20:57 ` Jorge Davila
2007-06-08 17:57 ` Grant Taylor
2007-06-05 22:43 ` Jorge Davila
-- strict thread matches above, loose matches on Subject: below --
2007-06-04 22:43 noa levy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=web-74831651@bk1.webmaillogin.com \
--to=davila@nicaraguaopensource.com \
--cc=gtaylor+reply@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.