From: Daniel Lopes <lopsch@lopsch.com>
To: netfilter@lists.netfilter.org
Subject: Re: Iptables, nat, and IPSec
Date: Wed, 06 Apr 2005 04:10:11 +0200 [thread overview]
Message-ID: <42534503.2070801@lopsch.com> (raw)
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAqrTb2LYes02Oflamihm4w8KAAAAQAAAA4U2BieFWiUege5oTSkUNnQEAAAAA@rogers.com>
dave beach schrieb:
> I have a class C private net behind both a dedicated linux/iptables box and
> a Linksys BEFSR41 broadband router. Traffic outbound from the iptables box
> to the router is DNATted to that machine's "external" (but still private) IP
> by iptables, and NATted again by the router to ITS external (public) IP.
> Everything works fine, except...
>
> I need to be able to run two concurrent passthrough IPSec sessions outbound
> through that configuration. Singly, they work fine. When run concurrently,
> the second one to try and connect to the office VPN (the IPSec requirement)
> fails.
>
> Digging through Linksys documentation reveals that this particular router
> will not support more than one passthrough IPSec session. Before I go and
> drop money on a replacement router (such as the BEFSX41), are there inherent
> limitations with iptables (or, probably more accurately) with NAT/IPSec
> generally, that would render such a purchase a waste of money in that it
> wouldn't solve my problem?
>
> Of course, I COULD bypass the iptables box and plug the second connecting
> device right into the (new) router, but I'd rather not do that if I don't
> have to.
>
>
It´s an IPSec problem. I don´t want to go into detail but you probably
should try NAT-Traversal.
For the theory http://www.ipsec-howto.org/x180.html
And the outbound traffic from the linux box to the router probably is
SNATed ;).
next prev parent reply other threads:[~2005-04-06 2:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-06 1:47 Iptables, nat, and IPSec dave beach
2005-04-06 2:10 ` Daniel Lopes [this message]
2005-04-06 2:30 ` dave beach
2005-04-06 11:10 ` dave beach
2005-04-06 11:42 ` John A. Sullivan III
2005-04-06 17:03 ` Daniel Lopes
2005-04-06 22:42 ` dave beach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42534503.2070801@lopsch.com \
--to=lopsch@lopsch.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox