Yeah, that was my mistake. I only need the second one.
I thought I needed the first one because IPTables Postrouting didn't
take place until after the kernel had determined whether the traffic was
to be tunneled but I was mistaken. I see now that Postrouting takes
place before the kernel determin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Tormod,
Okay. But still only one CHILD_SA is up and the other one not.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 07.04.2015 um 13:35 schrieb T
Hi Noel,
I need the SNAT as the network on the right want to see the traffic
originate from the 1.1.1.0/24 range for internal routing purposes.
I thought (Bryan Duff set me straight) I needed two Child SAs. Because
the right device is a Cisco device I had to configure two separate Child
SAs rat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Mirko,
Yes, I meant that one. It seems I forgot to put the reference in the email.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 07.04.2015 um 13:
On Mon, Apr 06, 2015 at 07:01:42PM +0200, Noel Kuntze wrote:
> There is a graph[1] that describes the path of the traffic in the kernel.
Did you mean this one?
[1] http://inai.de/images/nf-packet-flow.svg
Regards
Mirko
___
Users mailing list
Users@lists
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Tormod,
There is a graph[1] that describes the path of the traffic in the kernel.
Why do you believe, that you have to apply SNAT/MASQUERADE?
By the way, your tunnel setup is wrong.
You define two IPsec tunnels, but there is only one being u
If I recall correctly your step 5 is where things matter - make sure at
that point (basically after nat POSTROUTING) that the traffic source/dest
matches your left/rightsubnets. Don't worry about the routing decision
(your step 3). You should only need one DNAT and one SNAT for your traffic.
-Br
Hello,
I'm currently testing a site to site VPN. I need to change both the source and
destination address on the left device before forwarding the packets over the
VPN to the right device. I believe it all happens in the order below but I may
be wrong.
1 IPTables Prerouting
2 Route selected