Re: SNAT before IPSec

["noa levy" <noalevy@gmail.com>]

Thanks for all the help so far.
Jorge - I'm actually using the native 2.6 kernel ipsec (netkey) and
not KLIPS, so I don't have the "ipsecN" virtual interfaces and can't
use that.
In response to Grant's reply - I think I have a problem, since I'm
using the 2.6.10 kernel (can't upgrade anytime soon). Can anyone point
me to where I can find the relevant ipsec patches that enable the
double passage through netfilter hooks?
Thanks,
Noa

On 6/5/07, Jorge Davila <davila@nicaraguaopensource.com> wrote:
> I'm guessing that you can use the "normal" approach and apply the SNAT rules
> to the outgoing traffic flowing in the ipsec interfaces.
>
> The ipsec encryption algorithm is a kernel space tool and iptables is a user
> space tool to the netfilter kernel module.
>
> All traffic that pass the POSTROUTING chain in the NAT table is leaving the
> firewall box (through a physical interface e.g.:eth0 or through a virtual
> interface e.g.:ipsec0).
>
> Jorge Davila..
>
> On Tue, 5 Jun 2007 15:29:47 +0300
>  "noa levy" <noalevy@gmail.com> wrote:
> > Hi All,
> >
> > I have a setup where I need to SNAT traffic that will be going out via
> > an IPSec tunnel. The NAT must take place before the IPSec
> > encryption+encapsulation, so I need the packet to first go through
> > SNAT and then match an IPSec policy. After being IPSec-ified, I need
> > the packets to go through routing again.
> > My question:
> > SNAT takes place in POST_ROUTING. Can IPSec be applied after that? I
> > have read that after IPSec the packet gets injected to LOCAL_OUT
> > again, but when does the actual IPSec policy decision take place?
> > Won't it happen *before* SNAT? Can I control it?
> >
> > Thanks,
> > Noa
> >
> >
>
> Jorge Isaac Davila Lopez
> Nicaragua Open Source
> +505 430 5462
> davila@nicaraguaopensource.com