[ossig] Linux kernel IP stack, 7-layer OSI cake and SNAT shenanigans

[cdemarco@xxxxxxxxxxx]

Hi all, sorry for the cross-post...

This is a Linux-specific question, so Beasties beware:

I'm setting  up a network-to-network IPsec  VPN between  network A and
network B.  Once the VPN is setup, a packet entering one endpoint will
magically  appear on the other  end - so unless  networks  A and B are
numbered the same, one of two approaches are necessary:

1.  Static routes  in  each LAN send  traffic  between A and B  to the
local VPN endpoint.

2.  Each  LAN  NATs its traffic   to/from  the partner's  network.  Of
course this happens before the IPsec encapsulation!

For reasons political I  chose option 2.   AFAIK it's gonna be trivial
to do this with two boxen - one for the NAT and one for the IPsec.  Of
course, I'd like to put both these steps  in the same physical machine
to save space and  money - but  I can't figure  out  how in  heck this
would work, putting a NAT and a VPN on the same box,  with the goal of
having pass-through traffic first NAT'd and then VPN'd.

First, a question of  terminology: A user-space  PROCESS listens on an
IP  port.  What's the name for  the kernel-space thingy that processes
traffic entering the IP stack?  For example - netfilter, FreeS/WAN and
LVS  all grab incoming IP  traffic before it  gets to useland.  All of
these are specific instances of *what*  generic class/noun?  Perhaps I
need to bust out my W. Richard Stevens...

Thus  terminologically clarified, the meat of  the question is whether
(and thence *how*) I can send traffic inbound  to the IP stack to more
than one of these "thingies", e.g. NAT it  in netfilter, then IPsec it
in Openswan, then hit the routing table and off you go.  Anybody?

-- 
% You are in a maze of twisty passages, all alike.
Christopher DeMarco <cdemarco@fastmail.fm>          
PGP public key ID 0x2E76CF5C @ pgp.mit.edu
+6012 232 2106

PGP signature