Re: MASQUERADE/SNAT before IPsec

[RUMI Szabolcs <rumi_ml@rtfm.hu>]

On Mon, 4 Feb 2008 10:48:51 +0100
"Marco Berizzi" <pupilla@hotmail.com> wrote:

> RUMI Szabolcs wrote:
> 
> > iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -d 164.99.192.0/22 -j
> SNAT --to-source 164.99.195.8
> 
> > The IP address in --to-source 164.99.195.8  is the one that was
> > dynamically allocated by the remote corporate VPN concentrator
> > (not under my control) at the time I've tested the setup.
> 
> > I cannot make an iproute2 dump because I'm using the oldskool
> 
> which ike/ipsec implementation are you using?

On the kernel level I'm using the one that comes with the 2.6 kernel,
so USAGI I guess.

On the userspace level I'm using ipsec-tools-0.6.3_turnpike which is
a special version maintained by Novell that allows us to use their
proprietary Nortel Contivity binary IPsec plugins which are needed
to connect to the corporate VPN. It is using some nasty non-standard
proprietary authentication mechanism in order to be non-compatible
with free implementations but I doubt that my problem is caused by
this.

http://forge.novell.com/modules/xfcontent/downloads.php/turnpike/ipsec-tools-0.6.3/

> > and goes through iptables and gets NATed in the POSTROUTING
> > chain it goes straight out to eth0 and it does not get
> > reevaluated whether it should be handled by IPsec.
> 
> mhhh which kernel version?

To be exact it's 2.6.22-gentoo-r9 from Gentoo Linux.
You can find patch information here:

http://dev.gentoo.org/~dsd/genpatches/patches-2.6.22-9.htm

Thanks!

Best regards,
Sab