Re: ipsec nat issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry for the noise.

I had started the ping before I added the NAT rule so
either conntrack or the route cache was keeping the packet from
going thru the SNAT. I stopped the ping for a while then started
it back up and everything worked as I expected.

On 10/12/2012 10:36 PM, Stephen Clark wrote:

On 10/12/2012 04:28 PM, Jan Engelhardt wrote:

On Friday 2012-10-12 22:22, Stephen Clark wrote:


Hello,

I have the following setup:

ipsec tunnel 10.255.3.128/25 - pub add1<->  pub add2 - 10.255.5.128/25
trying to SNAT remote private address 10.255.5.128/25 to make it appear like it 
was local 10.255.3.254

The left endpoint has 10.255.3.128/25 declared as local, so if the left
side is to respond to packets which have 10.255.3.254 as source address,
that reply will be delivered on its own side (the left side), and never
the tunnel.

This is like trying to SNAT all your home traffic that is supposed to go
to the internet to 192.168.1.1 -- unroutable for the Internet.


Hi Jan,
The ping is initiated from the right side of the tunnel trying to ping a device on the left subnet. The device on the left subnet at 10.255.3.129 doesn't know about the right subnet at 10.255.5.128/25 so I want to make the packets coming from the right subnet of 10.255.5.128/25 appear as if they came from the left address of 10.255.3.254. I would expect that when the echo response came back from 10.255.3.129 it would be unSNATed so the destination address would now be 10.255.5.254 and it would go back thru the vpn tunnel to the right side.
I don't see this as any different than when I use SNAT from my private network to my public network except 
I using two private addresses.





--

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux