[strongSwan] Possible to do DNAT on actual IP packet encapsulated in ESP?
Jan Engelhardt
jengelh at inai.de
Sun Jan 13 01:38:42 CET 2013
On Friday 2013-01-11 20:21, Bharath Kumar wrote:
>I have a scenario where I need to redirect all the traffic (destined to
>various hosts on the rightsubnet) coming in via the ESP tunnel to be
>redirected to a local squid proxy. Without the IPSec/ESP, the approach would
>have been to do a DNAT in the PREROUTING chain of IPTables. That doesn't
>apply for ESP case because the actual IP packet is encapsulated/encrypted.
After decapsulation, packets reenter the packet filter. Hence, something
like
-A PREROUTING -m policy --dir in --pol ipsec -p tcp --dport 80 ...
... -j TPROXY --on-port 3128
More information about the Users
mailing list