[Openswan Users] Forwrward decripted traffic with NETKEY
Peter McGill
petermcgill at goco.net
Mon Jun 11 12:07:01 EDT 2007
> -----Original Message-----
> Date: Mon, 11 Jun 2007 17:16:15 +0200
> From: Ales Klok <orrie at seznam.cz>
> Subject: Re: [Openswan Users] Forwrward decripted traffic with NETKEY
> To: davor krabse <davorkk at hotmail.com>
> Cc: users at openswan.org
>
> davor krabse wrote:
> > I used the following commands:
> >
> > iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1
> > iptables -t nat -A PREROUTING -m mark --mark 1 -p udp
> --dport 1701 -j DNAT
> > --to 192.168.147.11
> >
> > but with:
> >
> > iptables -L -vn -t nat
> > iptables -L -vn -t mangle
> >
> > the nr of packets and bytes is 0, although the IPSEC
> between client and
> > linux vpn server is established.
> >
> > Davor
> >
>
> That's odd. If the first rule is not hit at all it means no
> ESP packet
> enter iptables. Either it is discarded prior to iptables
> (unlikely) or
> no ESP packet reach that interface. Check ESP traffic with
> "tcpdump -i
> <ext_iface> ip proto 50 -v" to see if there is any.
> /ak
Perhaps that esp is not in the /etc/protocols file, try using
iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1
Peter
More information about the Users
mailing list