Re: SNAT on IPSEC tunnel with kernel 2.6/KAME tools?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



G Georgiev wrote:
>        OK,
> 
>         Found a solution - if some is interested - assigned the near end of 
> the IPSEC tunnel address to the internal interface; this way got a 
> POSTROUTING chain available and did an SNAT there:
> 
> ip addr add 10.253.0.2 dev eth0;
> ip route add to unicast 192.168.4.0/24 via 10.253.0.2
> iptables -t nat -A POSTROUTING -d 192.168.4.0/24 -j SNAT --to 10.253.0.2
> 
>         Looks to work just fine, despite being not so 'clean' - I would prefer 
> to have a separate interface for the VPN, not to assign an alias to eth0. 
> Does not work with lo instead of eth0.

A few hints:

- lo doesn't work because IPsec is disabled by default on loopback.
  Check /proc/sys/net/ipv4/conf/<dev>/disable_{policy,xfrm}. If
  you disable rp_filter you can even route the IPsec network to
  lo and it will work (or use dummy if working with a seperate
  interface makes it easier for your).
- you don't need the extra address and route, just SNAT is enough
- The policy match can be used to express something similar to
  "-i ipsec0" and "-o ipsec0".
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux