Re: SNAT before IPSec

To:	"noa levy" <noalevy@gmail.com>,netfilter@lists.netfilter.org
Subject:	Re: SNAT before IPSec
From:	Jorge Davila <davila@nicaraguaopensource.com>
Date:	Tue, 05 Jun 2007 14:15:21 -0600
Cc:
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<8bd3dfad0706050529s484d42b6t9ef4ae0fd1730367@mail.gmail.com>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<8bd3dfad0706050529s484d42b6t9ef4ae0fd1730367@mail.gmail.com>
Sender:	netfilter-bounces@lists.netfilter.org

I'm guessing that you can use the "normal" approach and apply the SNAT rulesto the outgoing traffic flowing in the ipsec interfaces.

The ipsec encryption algorithm is a kernel space tool and iptables is a userspace tool to the netfilter kernel module.

All traffic that pass the POSTROUTING chain in the NAT table is leaving thefirewall box (through a physical interface e.g.:eth0 or through a virtualinterface e.g.:ipsec0).


Jorge Davila..

On Tue, 5 Jun 2007 15:29:47 +0300
 "noa levy" <noalevy@gmail.com> wrote:

Hi All,

I have a setup where I need to SNAT traffic that will be going out via
an IPSec tunnel. The NAT must take place before the IPSec
encryption+encapsulation, so I need the packet to first go through
SNAT and then match an IPSec policy. After being IPSec-ified, I need
the packets to go through routing again.
My question:
SNAT takes place in POST_ROUTING. Can IPSec be applied after that? I
have read that after IPSec the packet gets injected to LOCAL_OUT
again, but when does the actual IPSec policy decision take place?
Won't it happen *before* SNAT? Can I control it?

Thanks,
Noa


Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com

<Prev in Thread]	Current Thread	[Next in Thread>
SNAT before IPSec, noa levy Re: SNAT before IPSec, Grant Taylor Re: SNAT before IPSec, Jorge Davila <= Re: SNAT before IPSec, noa levy Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, noa levy Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, noa levy Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, noa levy Re: SNAT before IPSec, Jorge Davila Re: SNAT before IPSec, Grant Taylor Re: SNAT before IPSec, Grant Taylor

Previous by Date:	Re: problem matching marked packets in nat PREROUTING chain, Pascal Hambourg
Next by Date:	Re: SNAT before IPSec, noa levy
Previous by Thread:	Re: SNAT before IPSec, Grant Taylor
Next by Thread:	Re: SNAT before IPSec, noa levy
Indexes:	[Date] [Thread] [Top] [All Lists]