IPSec (i.e. Freeswan 2.x), Linux kernel 2.6 no longer masquerading (NAT'ing) connections

I understand that KLIPS support has been rolled into the native 2.6
kernel and thus the virutal ipsecN interfaces once used for IPSec
traffic are now gone. While this makes sense (in fact I believe the
Cisco IPSec clients for Linux have done this for a while now), this
makes NAT'ing VPN traffic on a gateway difficult - if not impossible.

Since all the traffic is now being transported through the ethN
interfaces, is there a way to masquerade traffic from an internal
network across an IPSec tunnel? For example, say we have a VPN tunnel
established from a gateway to a VPN server:

/-----------\ /------------\ |
| Gateway |------------>| FreeS/WAN | | LAN
| 12.10.4.1 | | 15.13.12.1 |---------| 192.168.1.0/24
\-----------/ \------------/ |

Our gateway connects and can reach servers on the LAN. But since
Gateway is a router that allows NAT'ed clients behind it to reach
other networks, we also want the network behind it to get to the
192.168.1.0/24 network, as in:

| /-----------\ /------------\ |
LAN1 | | Gateway |----->| FreeS/WAN | | LAN2
10.0.0.0/16|---| 12.10.4.1 | | 15.13.12.1 |----| 192.168.1.0/24
| \-----------/ \------------/ |

In the 2.4 kernel days we could just say:
iptables -A POSTROUTING -t nat -o ipsec0 -j MASQUERADE

And things would work exactly as listed above. But we don't have
ipsec0 any more... and just MASQUERADE'ing eth0 (or whatever your
public interface is) doesn't work. You can attach to the IPSec tunnel
on the Gateway machine and connect to the remote LAN, but you just
can't do step 2 and masq that connection. So... now what can a guy do?


John T. Ellis

On 23 May 2004 16:36:30 -0700
(E-Mail Removed) (John T. Ellis) wrote:

> I understand that KLIPS support has been rolled into the native 2.6
> kernel and thus the virutal ipsecN interfaces once used for IPSec
> traffic are now gone. While this makes sense (in fact I believe the
> Cisco IPSec clients for Linux have done this for a while now), this
> makes NAT'ing VPN traffic on a gateway difficult - if not impossible.
>
> Since all the traffic is now being transported through the ethN
> interfaces, is there a way to masquerade traffic from an internal
> network across an IPSec tunnel? For example, say we have a VPN tunnel
> established from a gateway to a VPN server:
>
> /-----------\ /------------\ |
> | Gateway |------------>| FreeS/WAN | | LAN
> | 12.10.4.1 | | 15.13.12.1 |---------| 192.168.1.0/24
> \-----------/ \------------/ |
>
> Our gateway connects and can reach servers on the LAN. But since
> Gateway is a router that allows NAT'ed clients behind it to reach
> other networks, we also want the network behind it to get to the
> 192.168.1.0/24 network, as in:
>
> | /-----------\ /------------\ |
> LAN1 | | Gateway |----->| FreeS/WAN | | LAN2
> 10.0.0.0/16|---| 12.10.4.1 | | 15.13.12.1 |----| 192.168.1.0/24
> | \-----------/ \------------/ |
>
> In the 2.4 kernel days we could just say:
> iptables -A POSTROUTING -t nat -o ipsec0 -j MASQUERADE
>
> And things would work exactly as listed above. But we don't have
> ipsec0 any more... and just MASQUERADE'ing eth0 (or whatever your
> public interface is) doesn't work. You can attach to the IPSec tunnel
> on the Gateway machine and connect to the remote LAN, but you just
> can't do step 2 and masq that connection. So... now what can a guy do?

what if you masquerade just the protocol 50 eg. esp with
iptables -A POSTROUTING -t nat -p 50 -o eth0 -j MASQUERADE

don't know if it works, but might

Greets
Chris