MASQUERADE and IPSec tunnel

Wed, 20 Jul 2005 09:02:02 -0700 

 Hello,
I set up IPSec tunnel and iptables as follows:

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    spdadd 172.27.210.0/24 172.27.86.0/24 any -P in ipsec
           esp/tunnel/172.27.1.3-172.27.1.10/require
           ah/tunnel/172.27.1.3-172.27.1.10/require;
    spdadd 172.27.86.0/24 172.27.210.0/24 any -P out ipsec
           esp/tunnel/172.27.1.10-172.27.1.3/require
           ah/tunnel/172.27.1.10-172.27.1.3/require;

SAs are established between 172.27.1.3 and 172.27.1.10:

    src 172.27.1.3 dst 172.27.1.10
        proto esp spi 0x0745d68a
    src 172.27.1.3 dst 172.27.1.10
        proto ah spi 0x08751c15
    src 172.27.1.10 dst 172.27.1.3
        proto esp spi 0x06170697
    src 172.27.1.10 dst 172.27.1.3
        proto ah spi 0x058572c2

but cannot connect from 172.27.210.0/24 to 172.27.86.0/24.
I noticed this is a strange setting, a solution is not masquerade
from 172.27.210.0/24 to  172.27.86.0/24.

But packets are curious in this setting. ping from 172.27.210.10 to
172.27.86.1 (is another IF of 172.27.1.10)

    IP 172.27.1.3 > 172.27.1.10: AH(spi=0x80031c15,seq=0x1): IP 172.27.1.3 > 
172.27.1.10: ESP(spi=0x0745d68a,seq=0x1) (ipip-proto-4)
    IP 172.27.1.3 > 172.27.1.10: AH(spi=0x80031c15,seq=0x2): IP 172.27.1.3 > 
172.27.1.10: ESP(spi=0x0745d68a,seq=0x2) (ipip-proto-4)
    IP 172.27.1.3 > 172.27.1.10: AH(spi=0x80031c15,seq=0x3): IP 172.27.1.3 > 
172.27.1.10: ESP(spi=0x0745d68a,seq=0x3) (ipip-proto-4)

stop ping and again,

    IP 172.27.1.3 > 172.27.1.10: AH(spi=0x83031c15,seq=0x45): IP 172.27.1.3 > 
172.27.1.10: ESP(spi=0x0745d68a,seq=0x45) (ipip-proto-4)
    IP 172.27.1.3 > 172.27.1.10: AH(spi=0x83031c15,seq=0x46): IP 172.27.1.3 > 
172.27.1.10: ESP(spi=0x0745d68a,seq=0x46) (ipip-proto-4)
    IP 172.27.1.3 > 172.27.1.10: AH(spi=0x83031c15,seq=0x47): IP 172.27.1.3 > 
172.27.1.10: ESP(spi=0x0745d68a,seq=0x47) (ipip-proto-4)

It seems that something overwrite AH's spi.
Simply changing nat_packet() in net/ipv4/netfilter/ip_nat_core.c 

    - if (!manip_pkt(target.dst.protonum, pskb, 0, &target, mtype))
    + if (!manip_pkt((*pskb)->nh.iph->protocol, pskb, 0, &target, mtype))

seems working only in this case, but ssh doesn't work.
Needs more work? or is this a desirable behavior?

thanks,
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to