On Wed, Apr 13, 2005 at 06:50:37PM -0500, Taylor Grant wrote: > >Couldn't he just SNAT the packets on his side when they become un- > >encapsulated? I'm doing this on a couple of my vpn links. > > I don't think that you could just SNAT the packets that are on the way out > because as I understand it SNAT happens in nat:POSTROUTING *after* the > routing decision has been made. I had originally thought that the IPSec > traffic did pass through IPTables a couple of times, once unencrypted and > then again encrypted. But based on the LOG entries that he has presented > the traffic only passes through IPTables one time on it's way out, and a > couple of times on it's way in. Seeing as how the traffic is only passing > through IPTables one time on it's way out, it is coming in to the system > from the LAN and immediately going in to the IPSec stack and being > encrypted and then sent out directly, leaving no chance for it to be SNATed > before it enters the IPSec stack. Reportedly there are some kernel patches > to fix this issues thus causing the packets to traverse IPTables twice, > once unencrypted and once encrypted. If the packets did indeed pass > through IPTables twice they could be SNATe > d before they did enter the IPSec VPN. The only caveat would be that the > IPSec VPN would have to be configured to allow traffic from the 10.3.3.x/24 > network vs his 10.2.2.x/24 network, this would have to be done on both ends > too. these pacthes exist in pom-ng and I believe have made it into 2.6.8 and above (not sure about the entry version) > > > > Grant. . . . > >
Attachment:
signature.asc
Description: Digital signature
