Re: SNAT before IPSec - Jorge Davila

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jorge Davila <davila@nicaraguaopensource.com>
To: noa levy <noalevy@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: SNAT before IPSec
Date: Thu, 07 Jun 2007 10:36:28 -0600	[thread overview]
Message-ID: <web-75021604@bk1.webmaillogin.com> (raw)
In-Reply-To: <8bd3dfad0706070840i2b80fa4bl5a9a4ae5973b0e01@mail.gmail.com>

Noa,

What can I tell you? You are on your own way ....

My last suggest is use OpenVPN and IPSec.

Best regards,

Jorge Davila.

On Thu, 7 Jun 2007 18:40:35 +0300
  "noa levy" <noalevy@gmail.com> wrote:
> Well, I agree with you in principle, but it's been this way for years,
> so routing practices are in place to handle it. I'm trying to recreate
> the setup we have now, which is using commercial VPN gateways, with
> Linux-based ones, but the addressing scheme is a given, I have no
> control over it
> 
> On 6/6/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> Ah!!!!
>>
>> Noa, in my humble opinion, you *must* assign new addresses to the internal
>> networks. You may will live a routing nightmare if you decides stay with 
>>the
>> actual address assignment.
>>
>> Best regards,
>>
>> Jorge Davila.
>>
>> On Wed, 6 Jun 2007 02:05:53 +0300
>>  "noa levy" <noalevy@gmail.com> wrote:
>> > The situation here is that several geographically diverse parts of the
>> > network (several branches of the same company) use the same internal
>> > addressing space. This was done to make it easy to centrally configure
>> > the branches. As a result, however, when talking to the center via
>> > VPN, we have to map each branch's network to another network allocated
>> > by the center.
>> >
>> > Noa
>> >
>> > On 6/6/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> >> Uhm ... well, may another approach works.
>> >>
>> >> But, why reports another source IP address to the remote internal
>> >>network???
>> >>
>> >> Jorge Davila.
>> >>
>> >> On Wed, 6 Jun 2007 01:40:34 +0300
>> >>  "noa levy" <noalevy@gmail.com> wrote:
>> >> > Yes, I want to change the source IP address of the original IP packet
>> >> > before encryption.
>> >> >
>> >> > On 6/6/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> >> >> OK - Let me now if I'm wrong ...
>> >> >>
>> >> >> Are you trying to modify the source address of the packet before the
>> >> >>packet
>> >> >> gets encryption?
>> >> >>
>> >> >> Jorge.
>> >> >>
>> >> >> On Wed, 6 Jun 2007 00:29:51 +0300
>> >> >>  "noa levy" <noalevy@gmail.com> wrote:
>> >> >> > Thanks for all the help so far.
>> >> >> > Jorge - I'm actually using the native 2.6 kernel ipsec (netkey) 
>>and
>> >> >> > not KLIPS, so I don't have the "ipsecN" virtual interfaces and 
>>can't
>> >> >> > use that.
>> >> >> > In response to Grant's reply - I think I have a problem, since I'm
>> >> >> > using the 2.6.10 kernel (can't upgrade anytime soon). Can anyone
>> >>point
>> >> >> > me to where I can find the relevant ipsec patches that enable the
>> >> >> > double passage through netfilter hooks?
>> >> >> > Thanks,
>> >> >> > Noa
>> >> >> >
>> >> >> > On 6/5/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> >> >> >> I'm guessing that you can use the "normal" approach and apply the
>> >>SNAT
>> >> >> >>rules
>> >> >> >> to the outgoing traffic flowing in the ipsec interfaces.
>> >> >> >>
>> >> >> >> The ipsec encryption algorithm is a kernel space tool and 
>>iptables
>> >>is a
>> >> >> >>user
>> >> >> >> space tool to the netfilter kernel module.
>> >> >> >>
>> >> >> >> All traffic that pass the POSTROUTING chain in the NAT table is
>> >>leaving
>> >> >> >>the
>> >> >> >> firewall box (through a physical interface e.g.:eth0 or through a
>> >> >>virtual
>> >> >> >> interface e.g.:ipsec0).
>> >> >> >>
>> >> >> >> Jorge Davila..
>> >> >> >>
>> >> >> >> On Tue, 5 Jun 2007 15:29:47 +0300
>> >> >> >>  "noa levy" <noalevy@gmail.com> wrote:
>> >> >> >> > Hi All,
>> >> >> >> >
>> >> >> >> > I have a setup where I need to SNAT traffic that will be going 
>>out
>> >> >>via
>> >> >> >> > an IPSec tunnel. The NAT must take place before the IPSec
>> >> >> >> > encryption+encapsulation, so I need the packet to first go 
>>through
>> >> >> >> > SNAT and then match an IPSec policy. After being IPSec-ified, I
>> >>need
>> >> >> >> > the packets to go through routing again.
>> >> >> >> > My question:
>> >> >> >> > SNAT takes place in POST_ROUTING. Can IPSec be applied after 
>>that?
>> >>I
>> >> >> >> > have read that after IPSec the packet gets injected to 
>>LOCAL_OUT
>> >> >> >> > again, but when does the actual IPSec policy decision take 
>>place?
>> >> >> >> > Won't it happen *before* SNAT? Can I control it?
>> >> >> >> >
>> >> >> >> > Thanks,
>> >> >> >> > Noa
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >> Jorge Isaac Davila Lopez
>> >> >> >> Nicaragua Open Source
>> >> >> >> +505 430 5462
>> >> >> >> davila@nicaraguaopensource.com
>> >> >> >>
>> >> >> >
>> >> >>
>> >> >> Jorge Isaac Davila Lopez
>> >> >> Nicaragua Open Source
>> >> >> +505 430 5462
>> >> >> davila@nicaraguaopensource.com
>> >> >>
>> >> >
>> >>
>> >> Jorge Isaac Davila Lopez
>> >> Nicaragua Open Source
>> >> +505 430 5462
>> >> davila@nicaraguaopensource.com
>> >>
>> >
>>
>> Jorge Isaac Davila Lopez
>> Nicaragua Open Source
>> +505 430 5462
>> davila@nicaraguaopensource.com
>>
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com

next prev parent reply	other threads:[~2007-06-07 16:36 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-06-05 12:29 SNAT before IPSec noa levy
2007-06-05 12:56 ` Yasuyuki KOZAKAI
2007-06-05 14:36 ` Grant Taylor
2007-06-05 20:15 ` Jorge Davila
2007-06-05 20:28   ` Grant Taylor
2007-06-05 20:45     ` Jorge Davila
2007-06-05 23:53       ` Grant Taylor
2007-06-06 15:39         ` Jorge Davila
2007-06-06 18:48           ` Grant Taylor
2007-06-05 21:29   ` noa levy
2007-06-05 22:40     ` Jorge Davila
2007-06-05 22:40       ` noa levy
2007-06-05 22:59         ` Jorge Davila
2007-06-05 23:05           ` noa levy
2007-06-06 15:47             ` Jorge Davila
2007-06-07 15:40               ` noa levy
2007-06-07 16:36                 ` Jorge Davila [this message]
2007-06-07 17:07                 ` Grant Taylor
2007-06-07 18:03                   ` Grant Taylor
2007-06-07 20:57                     ` Jorge Davila
2007-06-08 17:57                       ` Grant Taylor
2007-06-05 22:43     ` Jorge Davila
  -- strict thread matches above, loose matches on Subject: below --
2007-06-04 22:43 noa levy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=web-75021604@bk1.webmaillogin.com \
    --to=davila@nicaraguaopensource.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=noalevy@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.