Michael Muenz schrieb:
Hi,
"Eduardo Spremolla" <edspremolla@xxxxxxxxxxxx> schrieb im
Newsbeitragnews:1113393681.4244.3.camel@xxxxxxxxxxxxxxxxxxxxxxx
Yes, the OpenSwan is mutch more clear, yuo have the packet with the
originals ip in the nat post chain to the tunn0 device.
Is there any chance to aplay NETMAP to the source
ip on PREROUTING ?
I never used NETMAP but this is from the description:
It can be applied to the PREROUTING chain to alter the destination of
incoming connections, to the POSTROUTING chain to alter the source
of outgoing connections, or both (with separate rules).
You want to alter the source (10.2.2.0/24) and that's an outgoing conn.
(Of course vice versa) ..
So perhaps this will work:
iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -d 10.37.130.0/24 \
-j NETMAP --to 10.3.3.0/24
iptables -t nat -A PREROUTING -s 10.37.130.0/24 -d 10.3.3.0/24 \
-j NETMAP --to 10.2.2.0/24
- Michael
No it wonÂt thatÂs the problem because with native IPSec the packets
only pass the chains once (without the patches). So they arrive tunnel
encapsulated at the POSTROUTING chain. But with the patches it would
probably work.