Re: [Ipsec-tools-devel] adding public IP address tunnel mode
Brought to you by:
mit_warlord,
netbsd
From: Naveen BN <nav...@gl...> - 2009-12-18 08:01:26
|
Dear Timo, This what is expected in a UE as per TS 33.203. This feature should be present in UE as UDP encapsulated Tunnel mode if UE detects it is behind NAT. This out going packet from UE should look like Packet from UE in case of UDP encapsulated Tunnel Mode */ -------------------------------------------------------------- |OUTER.| UDP | ESP | Inner IP | | | ESP | ESP| |IP | Hdr | Hdr | Header | TCP | Data | Trailer|Auth| -------------------------------------------------------------- The contents of the above shown Packet w.r.t IP headers are interpreted as below Outer IP adder SRC ? Private IP address of UE DEST ? PCSCF IP address Inner IP adder SRC ? Public IP address of UE DEST ? PCSCF IP address ** ** Regards Naveen Timo Teräs wrote: > Naveen BN wrote: >> I require some guidance on achieving a challenging work.* *I need to >> added the public Ip address different from that >> of local ip address in the inner IP header before passing it to IPSec >> processing . I have a tunnel mode policy based on >> public ip address and corresponding sa. Later the outer Ip header >> added by ipsec layer need to contain local ip address. >> >> I tried doing the same by using a SNAT using the command >> iptables -t nat -A POSTROUTING -s 172.16.8.36 -d 172.16.8.38 -j SNAT >> --to 172.16.8.2 > > That sounds just wrong. You should add both public IP's to your > server. Bind the processes to the public IP they use, and use > the other as gateway address for the IPsec SA. > > - Timo > |