On 10/08/2011 04:06 AM, Chris Wilson wrote:
Hi Stephen,
On Fri, 7 Oct 2011, Stephen Clark wrote:
What is the reasoning for having SNAT happen before ipsec encryption?
You might well want to SNAT or MASQUERADE packets going through the
tunnel, to have them fit within the tunnel's subnet, for example if
you add a new local subnet and you don't want to reconfigure thousands
of clients.
It forces one to add special rules in the NAT table to keep this from
happening
You mean "iptables -t nat -A POSTROUTING -m policy --pol ipsec -j
ACCEPT"? Doesn't seem very onerous to me.
No, but that is different than what I had been using which is:
-A POSTROUTING -o eth1 -s 10.152.35.0/24 -d 10.159.95.0/24 -j ACCEPT
How does -m policy --pol ipsec figure in? I am somewhat new to iptables
having
been working with ipfilter/ipnat on FreeBSD for the last 10 years, so
pardon my
ignorance.
Cheers, Chris.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
