From: Jorge Davila <davila@nicaraguaopensource.com>
To: noa levy <noalevy@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: SNAT before IPSec
Date: Tue, 05 Jun 2007 16:59:28 -0600 [thread overview]
Message-ID: <web-17534558@bk3.webmaillogin.com> (raw)
In-Reply-To: <8bd3dfad0706051540t626bf02fk15e20eace4818b3e@mail.gmail.com>
Uhm ... well, may another approach works.
But, why reports another source IP address to the remote internal network???
Jorge Davila.
On Wed, 6 Jun 2007 01:40:34 +0300
"noa levy" <noalevy@gmail.com> wrote:
> Yes, I want to change the source IP address of the original IP packet
> before encryption.
>
> On 6/6/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> OK - Let me now if I'm wrong ...
>>
>> Are you trying to modify the source address of the packet before the
>>packet
>> gets encryption?
>>
>> Jorge.
>>
>> On Wed, 6 Jun 2007 00:29:51 +0300
>> "noa levy" <noalevy@gmail.com> wrote:
>> > Thanks for all the help so far.
>> > Jorge - I'm actually using the native 2.6 kernel ipsec (netkey) and
>> > not KLIPS, so I don't have the "ipsecN" virtual interfaces and can't
>> > use that.
>> > In response to Grant's reply - I think I have a problem, since I'm
>> > using the 2.6.10 kernel (can't upgrade anytime soon). Can anyone point
>> > me to where I can find the relevant ipsec patches that enable the
>> > double passage through netfilter hooks?
>> > Thanks,
>> > Noa
>> >
>> > On 6/5/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> >> I'm guessing that you can use the "normal" approach and apply the SNAT
>> >>rules
>> >> to the outgoing traffic flowing in the ipsec interfaces.
>> >>
>> >> The ipsec encryption algorithm is a kernel space tool and iptables is a
>> >>user
>> >> space tool to the netfilter kernel module.
>> >>
>> >> All traffic that pass the POSTROUTING chain in the NAT table is leaving
>> >>the
>> >> firewall box (through a physical interface e.g.:eth0 or through a
>>virtual
>> >> interface e.g.:ipsec0).
>> >>
>> >> Jorge Davila..
>> >>
>> >> On Tue, 5 Jun 2007 15:29:47 +0300
>> >> "noa levy" <noalevy@gmail.com> wrote:
>> >> > Hi All,
>> >> >
>> >> > I have a setup where I need to SNAT traffic that will be going out
>>via
>> >> > an IPSec tunnel. The NAT must take place before the IPSec
>> >> > encryption+encapsulation, so I need the packet to first go through
>> >> > SNAT and then match an IPSec policy. After being IPSec-ified, I need
>> >> > the packets to go through routing again.
>> >> > My question:
>> >> > SNAT takes place in POST_ROUTING. Can IPSec be applied after that? I
>> >> > have read that after IPSec the packet gets injected to LOCAL_OUT
>> >> > again, but when does the actual IPSec policy decision take place?
>> >> > Won't it happen *before* SNAT? Can I control it?
>> >> >
>> >> > Thanks,
>> >> > Noa
>> >> >
>> >> >
>> >>
>> >> Jorge Isaac Davila Lopez
>> >> Nicaragua Open Source
>> >> +505 430 5462
>> >> davila@nicaraguaopensource.com
>> >>
>> >
>>
>> Jorge Isaac Davila Lopez
>> Nicaragua Open Source
>> +505 430 5462
>> davila@nicaraguaopensource.com
>>
>
Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com
next prev parent reply other threads:[~2007-06-05 22:59 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-05 12:29 SNAT before IPSec noa levy
2007-06-05 12:56 ` Yasuyuki KOZAKAI
2007-06-05 14:36 ` Grant Taylor
2007-06-05 20:15 ` Jorge Davila
2007-06-05 20:28 ` Grant Taylor
2007-06-05 20:45 ` Jorge Davila
2007-06-05 23:53 ` Grant Taylor
2007-06-06 15:39 ` Jorge Davila
2007-06-06 18:48 ` Grant Taylor
2007-06-05 21:29 ` noa levy
2007-06-05 22:40 ` Jorge Davila
2007-06-05 22:40 ` noa levy
2007-06-05 22:59 ` Jorge Davila [this message]
2007-06-05 23:05 ` noa levy
2007-06-06 15:47 ` Jorge Davila
2007-06-07 15:40 ` noa levy
2007-06-07 16:36 ` Jorge Davila
2007-06-07 17:07 ` Grant Taylor
2007-06-07 18:03 ` Grant Taylor
2007-06-07 20:57 ` Jorge Davila
2007-06-08 17:57 ` Grant Taylor
2007-06-05 22:43 ` Jorge Davila
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=web-17534558@bk3.webmaillogin.com \
--to=davila@nicaraguaopensource.com \
--cc=netfilter@lists.netfilter.org \
--cc=noalevy@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox