Re: SNAT before IPSec - Jorge Davila

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Jorge Davila <davila@nicaraguaopensource.com>
To: noa levy <noalevy@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: SNAT before IPSec
Date: Thu, 07 Jun 2007 10:36:28 -0600	[thread overview]
Message-ID: <web-75021604@bk1.webmaillogin.com> (raw)
In-Reply-To: <8bd3dfad0706070840i2b80fa4bl5a9a4ae5973b0e01@mail.gmail.com>

Noa,

What can I tell you? You are on your own way ....

My last suggest is use OpenVPN and IPSec.

Best regards,

Jorge Davila.

On Thu, 7 Jun 2007 18:40:35 +0300
  "noa levy" <noalevy@gmail.com> wrote:
> Well, I agree with you in principle, but it's been this way for years,
> so routing practices are in place to handle it. I'm trying to recreate
> the setup we have now, which is using commercial VPN gateways, with
> Linux-based ones, but the addressing scheme is a given, I have no
> control over it
> 
> On 6/6/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> Ah!!!!
>>
>> Noa, in my humble opinion, you *must* assign new addresses to the internal
>> networks. You may will live a routing nightmare if you decides stay with 
>>the
>> actual address assignment.
>>
>> Best regards,
>>
>> Jorge Davila.
>>
>> On Wed, 6 Jun 2007 02:05:53 +0300
>>  "noa levy" <noalevy@gmail.com> wrote:
>> > The situation here is that several geographically diverse parts of the
>> > network (several branches of the same company) use the same internal
>> > addressing space. This was done to make it easy to centrally configure
>> > the branches. As a result, however, when talking to the center via
>> > VPN, we have to map each branch's network to another network allocated
>> > by the center.
>> >
>> > Noa
>> >
>> > On 6/6/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> >> Uhm ... well, may another approach works.
>> >>
>> >> But, why reports another source IP address to the remote internal
>> >>network???
>> >>
>> >> Jorge Davila.
>> >>
>> >> On Wed, 6 Jun 2007 01:40:34 +0300
>> >>  "noa levy" <noalevy@gmail.com> wrote:
>> >> > Yes, I want to change the source IP address of the original IP packet
>> >> > before encryption.
>> >> >
>> >> > On 6/6/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> >> >> OK - Let me now if I'm wrong ...
>> >> >>
>> >> >> Are you trying to modify the source address of the packet before the
>> >> >>packet
>> >> >> gets encryption?
>> >> >>
>> >> >> Jorge.
>> >> >>
>> >> >> On Wed, 6 Jun 2007 00:29:51 +0300
>> >> >>  "noa levy" <noalevy@gmail.com> wrote:
>> >> >> > Thanks for all the help so far.
>> >> >> > Jorge - I'm actually using the native 2.6 kernel ipsec (netkey) 
>>and
>> >> >> > not KLIPS, so I don't have the "ipsecN" virtual interfaces and 
>>can't
>> >> >> > use that.
>> >> >> > In response to Grant's reply - I think I have a problem, since I'm
>> >> >> > using the 2.6.10 kernel (can't upgrade anytime soon). Can anyone
>> >>point
>> >> >> > me to where I can find the relevant ipsec patches that enable the
>> >> >> > double passage through netfilter hooks?
>> >> >> > Thanks,
>> >> >> > Noa
>> >> >> >
>> >> >> > On 6/5/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
>> >> >> >> I'm guessing that you can use the "normal" approach and apply the
>> >>SNAT
>> >> >> >>rules
>> >> >> >> to the outgoing traffic flowing in the ipsec interfaces.
>> >> >> >>
>> >> >> >> The ipsec encryption algorithm is a kernel space tool and 
>>iptables
>> >>is a
>> >> >> >>user
>> >> >> >> space tool to the netfilter kernel module.
>> >> >> >>
>> >> >> >> All traffic that pass the POSTROUTING chain in the NAT table is
>> >>leaving
>> >> >> >>the
>> >> >> >> firewall box (through a physical interface e.g.:eth0 or through a
>> >> >>virtual
>> >> >> >> interface e.g.:ipsec0).
>> >> >> >>
>> >> >> >> Jorge Davila..
>> >> >> >>
>> >> >> >> On Tue, 5 Jun 2007 15:29:47 +0300
>> >> >> >>  "noa levy" <noalevy@gmail.com> wrote:
>> >> >> >> > Hi All,
>> >> >> >> >
>> >> >> >> > I have a setup where I need to SNAT traffic that will be going 
>>out
>> >> >>via
>> >> >> >> > an IPSec tunnel. The NAT must take place before the IPSec
>> >> >> >> > encryption+encapsulation, so I need the packet to first go 
>>through
>> >> >> >> > SNAT and then match an IPSec policy. After being IPSec-ified, I
>> >>need
>> >> >> >> > the packets to go through routing again.
>> >> >> >> > My question:
>> >> >> >> > SNAT takes place in POST_ROUTING. Can IPSec be applied after 
>>that?
>> >>I
>> >> >> >> > have read that after IPSec the packet gets injected to 
>>LOCAL_OUT
>> >> >> >> > again, but when does the actual IPSec policy decision take 
>>place?
>> >> >> >> > Won't it happen *before* SNAT? Can I control it?
>> >> >> >> >
>> >> >> >> > Thanks,
>> >> >> >> > Noa
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >> Jorge Isaac Davila Lopez
>> >> >> >> Nicaragua Open Source
>> >> >> >> +505 430 5462
>> >> >> >> davila@nicaraguaopensource.com
>> >> >> >>
>> >> >> >
>> >> >>
>> >> >> Jorge Isaac Davila Lopez
>> >> >> Nicaragua Open Source
>> >> >> +505 430 5462
>> >> >> davila@nicaraguaopensource.com
>> >> >>
>> >> >
>> >>
>> >> Jorge Isaac Davila Lopez
>> >> Nicaragua Open Source
>> >> +505 430 5462
>> >> davila@nicaraguaopensource.com
>> >>
>> >
>>
>> Jorge Isaac Davila Lopez
>> Nicaragua Open Source
>> +505 430 5462
>> davila@nicaraguaopensource.com
>>
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com

next prev parent reply	other threads:[~2007-06-07 16:36 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-06-05 12:29 SNAT before IPSec noa levy
2007-06-05 12:56 ` Yasuyuki KOZAKAI
2007-06-05 14:36 ` Grant Taylor
2007-06-05 20:15 ` Jorge Davila
2007-06-05 20:28   ` Grant Taylor
2007-06-05 20:45     ` Jorge Davila
2007-06-05 23:53       ` Grant Taylor
2007-06-06 15:39         ` Jorge Davila
2007-06-06 18:48           ` Grant Taylor
2007-06-05 21:29   ` noa levy
2007-06-05 22:40     ` Jorge Davila
2007-06-05 22:40       ` noa levy
2007-06-05 22:59         ` Jorge Davila
2007-06-05 23:05           ` noa levy
2007-06-06 15:47             ` Jorge Davila
2007-06-07 15:40               ` noa levy
2007-06-07 16:36                 ` Jorge Davila [this message]
2007-06-07 17:07                 ` Grant Taylor
2007-06-07 18:03                   ` Grant Taylor
2007-06-07 20:57                     ` Jorge Davila
2007-06-08 17:57                       ` Grant Taylor
2007-06-05 22:43     ` Jorge Davila

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=web-75021604@bk1.webmaillogin.com \
    --to=davila@nicaraguaopensource.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=noalevy@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox