I'm guessing that you can use the "normal" approach and apply the SNAT rules
to the outgoing traffic flowing in the ipsec interfaces.
The ipsec encryption algorithm is a kernel space tool and iptables is a user
space tool to the netfilter kernel module.
All traffic that pass the POSTROUTING chain in the NAT table is leaving the
firewall box (through a physical interface e.g.:eth0 or through a virtual
interface e.g.:ipsec0).
Jorge Davila..
On Tue, 5 Jun 2007 15:29:47 +0300
"noa levy" <noalevy@xxxxxxxxx> wrote:
Hi All,
I have a setup where I need to SNAT traffic that will be going out via
an IPSec tunnel. The NAT must take place before the IPSec
encryption+encapsulation, so I need the packet to first go through
SNAT and then match an IPSec policy. After being IPSec-ified, I need
the packets to go through routing again.
My question:
SNAT takes place in POST_ROUTING. Can IPSec be applied after that? I
have read that after IPSec the packet gets injected to LOCAL_OUT
again, but when does the actual IPSec policy decision take place?
Won't it happen *before* SNAT? Can I control it?
Thanks,
Noa
Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@xxxxxxxxxxxxxxxxxxxxxxx
