Re: SNAT before IPSec

To:	gtaylor+reply@riverviewtech.net,Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject:	Re: SNAT before IPSec
From:	Jorge Davila <davila@nicaraguaopensource.com>
Date:	Tue, 05 Jun 2007 14:45:05 -0600
Cc:
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<4665C771.4040609@riverviewtech.net>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<8bd3dfad0706050529s484d42b6t9ef4ae0fd1730367@mail.gmail.com> <web-74829660@bk1.webmaillogin.com> <4665C771.4040609@riverviewtech.net>
Sender:	netfilter-bounces@lists.netfilter.org

Well Grant, the IPSec standard [1] said:

For every IPsec implementation, there MUST be an administrative
   interface that allows a user or system administrator to manage the
   SPD.  Specifically, every inbound or outbound packet is subject to
   processing by IPsec and the SPD must specify what action will be
   taken in each case.  Thus the administrative interface must allow the
   user (or system administrator) to specify the security processing to
   be applied to any packet entering or exiting the system, on a packet
   by packet basis.

Best regards,

Jorge Davila.

[1] http://www.ietf.org/rfc/rfc2401.txt
On Tue, 05 Jun 2007 15:28:33 -0500
 Grant Taylor <gtaylor@riverviewtech.net> wrote:

On 06/05/07 15:15, Jorge Davila wrote:
I'm guessing that you can use the "normal" approach and apply the SNATrules to the outgoing traffic flowing in the ipsec interfaces.
...
All traffic that pass the POSTROUTING chain in the NAT table is leavingthe firewall box (through a physical interface e.g.:eth0 or through avirtual interface e.g.:ipsec0).
Um, correct me if I'm wrong, but not all IPSec implementations create aninterface any more.
Grant. . . .


Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com

<Prev in Thread]	Current Thread	[Next in Thread>
Re: SNAT before IPSec, (continued) Re: SNAT before IPSec, Grant Taylor Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, noa levy Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, noa levy Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, noa levy Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, Grant Taylor Re: SNAT before IPSec, Jorge Davila <= Re: SNAT before IPSec, Grant Taylor Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, Grant Taylor Re: SNAT before IPSec, Yasuyuki KOZAKAI

Previous by Date:	Re: SNAT before IPSec, Grant Taylor
Next by Date:	problem matching marked packets in nat PREROUTING chain, Richard Hauswald
Previous by Thread:	Re: SNAT before IPSec, Grant Taylor
Next by Thread:	Re: SNAT before IPSec, Grant Taylor
Indexes:	[Date] [Thread] [Top] [All Lists]