On 23 May 2004 16:36:30 -0700
(E-Mail Removed) (John T. Ellis) wrote:
> I understand that KLIPS support has been rolled into the native 2.6
> kernel and thus the virutal ipsecN interfaces once used for IPSec
> traffic are now gone. While this makes sense (in fact I believe the
> Cisco IPSec clients for Linux have done this for a while now), this
> makes NAT'ing VPN traffic on a gateway difficult - if not impossible.
>
> Since all the traffic is now being transported through the ethN
> interfaces, is there a way to masquerade traffic from an internal
> network across an IPSec tunnel? For example, say we have a VPN tunnel
> established from a gateway to a VPN server:
>
> /-----------\ /------------\ |
> | Gateway |------------>| FreeS/WAN | | LAN
> | 12.10.4.1 | | 15.13.12.1 |---------| 192.168.1.0/24
> \-----------/ \------------/ |
>
> Our gateway connects and can reach servers on the LAN. But since
> Gateway is a router that allows NAT'ed clients behind it to reach
> other networks, we also want the network behind it to get to the
> 192.168.1.0/24 network, as in:
>
> | /-----------\ /------------\ |
> LAN1 | | Gateway |----->| FreeS/WAN | | LAN2
> 10.0.0.0/16|---| 12.10.4.1 | | 15.13.12.1 |----| 192.168.1.0/24
> | \-----------/ \------------/ |
>
> In the 2.4 kernel days we could just say:
> iptables -A POSTROUTING -t nat -o ipsec0 -j MASQUERADE
>
> And things would work exactly as listed above. But we don't have
> ipsec0 any more... and just MASQUERADE'ing eth0 (or whatever your
> public interface is) doesn't work. You can attach to the IPSec tunnel
> on the Gateway machine and connect to the remote LAN, but you just
> can't do step 2 and masq that connection. So... now what can a guy do?
what if you masquerade just the protocol 50 eg. esp with
iptables -A POSTROUTING -t nat -p 50 -o eth0 -j MASQUERADE
don't know if it works, but might
Greets
Chris
Similar Threads
Linear Mode
