Re: SNAT and IPSEC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



How can I know if the patches are in my version:

kernel 		2.6.10-1.771_FC2
iptables 	1.2.9-2.3.1
ipsec-tools 	0.5-2.fc2

I will test it. I did not set the POSTROUTING SNAT rule, since I
understand make no sense in the ESP packet.

Thanks for the clue.

LALO

On Wed, 2005-04-13 at 10:58 -0400, Jason Opperisano wrote:
> On Tue, Apr 12, 2005 at 03:08:12PM -0300, Eduardo Spremolla wrote:
> > I have 2 local networks 10.2.2.0/24 and 10.37.130.0/24 interconnected by
> > a ipsec tunnel running on kernel 2.6 native ipsec. So far so good.
> > 
> > Now the admin of 10.37.130.0 wants me to NAT my network to 10.3.3.0
> > because he had a ip conflict. I cant SNAT because when the packet goes
> > to nat post it has been encapsulated in ESP and had the firewalls
> > address, as you can see in the bottom log snipe.I try to use NETMAP in
> > mangle PREROUTING, but it changes the dest ip , not the source.
> > 
> > Is this possible?
> > 
> > Thanks in advance for any clue.
> 
> dunno if this will help or not; as i have lost my test lab, but have you
> applied the ipsec patches from PoM:
> 
>   ipsec-01-output-hooks
>   ipsec-02-input-hooks
>   ipsec-03-policy-lookup
>   ipsec-04-policy-checks
> 
> it is my understanding that these patches make packets traverse the
> netfilter hooks twice:  once clear, and again encrypted.
> 
> -j
> 
> --
> "Peter: I call it... Petoria. I was going to call it Peterland,
>  but that gay bar by the airport took it."
>         --Family Guy
> 


Este e-mail y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información.
. . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender inmediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that not is the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux