Cedric, I understand how to do nat to IPSEC ports and all others. My
question is about any special rules required so that the encrypted
ipsec TCP headers don't get mangled? I recall that parts of the TCP
header about the source address get encrypted and that this can break
the vpn through masqueraded (nat'ed ) connections.
On 12/10/06, Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote:
Le samedi 09 décembre 2006 à 15:47 -0800, rabbtux rabbtux a écrit :
> Anyone have suggestions for a rule to allow IPsec packets to pass from
> a NATed subnet?? I know linksys,dlink, et. all have a firewall
> checkbox to alow ipsec vpns to work.
IPSEC implies IP protocols 50 (ESP) and sometimes 51 (AH). Therefore,
you have to handle them both. A (very) quick'n'dirty ESP NAT would be:
iptables -t nat -A POSTROUTING -p 50 -j MASQUERADE
iptables -A FORWARD -p 50 -j ACCEPT
Now, just adapt this to your own situation and push some rules with
subnet adresses, input and output interfaces, etc.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
