Well Grant, the IPSec standard [1] said:
For every IPsec implementation, there MUST be an administrative
interface that allows a user or system administrator to manage the
SPD. Specifically, every inbound or outbound packet is subject to
processing by IPsec and the SPD must specify what action will be
taken in each case. Thus the administrative interface must allow the
user (or system administrator) to specify the security processing to
be applied to any packet entering or exiting the system, on a packet
by packet basis.
Best regards,
Jorge Davila.
[1] http://www.ietf.org/rfc/rfc2401.txt
On Tue, 05 Jun 2007 15:28:33 -0500
Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote:
On 06/05/07 15:15, Jorge Davila wrote:
I'm guessing that you can use the "normal" approach and apply the SNAT
rules to the outgoing traffic flowing in the ipsec interfaces.
...
All traffic that pass the POSTROUTING chain in the NAT table is leaving
the firewall box (through a physical interface e.g.:eth0 or through a
virtual interface e.g.:ipsec0).
Um, correct me if I'm wrong, but not all IPSec implementations create an
interface any more.
Grant. . . .
Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@xxxxxxxxxxxxxxxxxxxxxxx