RE: How does iptables NAT handle IPsec ESP with NAT-T UDP header ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Pascal,
Many thanks for the prompt reply !
I will try to clarify the problem with a specific example. I will use 2 flows but there are 4 actually.
The device public IP in this example is 10.0.0.101 so the setup is like the following:

Private domain                         Public domain

2.1.1.1---+                                                          +----------- 10.0.0.1
                 +-------NAT--> 10.0.0.101 ----------+
2.1.2.1---+                                                          +----------- 10.0.0.2

Incoming flow1 (from private network, before NAT) has following header:
Src-IP: 2.1.1.1 (private)
Dst IP: 10.0.0.1 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570

Incoming flow2 (from private network, before NAT) has following header:
Src-IP: 2.1.2.1 (private)
Dst IP: 10.0.0.2 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632

Now, the SNAT is performed (I'm currently not sure what is used exactly as src identifier), so both packets go out with (public) IP 10.0.0.101.
However, after NAT, both UDP ports (drc & dst) remain 4500.

The incoming packets from opposite direction (from public nodes towards NAT device) is as follows (as outgoing packets had both UDP ports 4500, so are the packets in opposite direction):

Incoming flow1 (from public network) has following header:
Src-IP: 10.0.0.1 (public)
Dst IP: 10.0.0.101 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570

Incoming flow2 (from public network) has following header:
Src-IP: 10.0.0.2 (public)
Dst IP: 10.0.0.101 (public)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632

The thing is, that the iptables performs (somehow) the DNAT correctly and the tunnels do work (we can ping from side to side).
So internally after NAT, the packets are as follows:
Incoming flow1 (from public network, after NAT) has following header:
Src-IP: 10.0.0.1 (public)
Dst IP: 2.1.1.1 (private)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 33F5A570

Incoming flow2 (from public network, after NAT) has following header:
Src-IP: 10.0.0.2 (public)
Dst IP: 2.1.2.1 (private)
UDP src port: 4500
UDP dst port: 4500
ESP SPI: 9B417632

If both UDP ports are 4500, how did iptables distinguish between the packets and knew which private IP to assign to each packet ?

Thanks,
Guy

��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux