[Openswan dev] Problems with openswan and bridging

Michael Richardson mcr at xelerance.com
Mon Jun 4 16:37:34 EDT 2007

Hash: SHA1

>>>>> "Rene" == Rene Mayrhofer <rene.mayrhofer at gibraltar.at> writes:
    Rene> master:~# cat /proc/net/ip_conntrack | grep icmp icmp 1 27
    Rene> src= dst= type=8 code=0 id=512
    Rene> [UNREPLIED] src= dst= type=0
    Rene> code=0 id=512 use=1 mark=51

    Rene> And this seems to be the main problem. Do you have any idea
    Rene> why connection tracking may not recognize the ICMP replies,
    Rene> although source and destination addresses match (there are no

  Connection tracking is per-interface.
  What I'm unclear about is if the packet that created the connection
went out through the same interface that the reply came back on?
  I think it logically arrived on the right interface, but virtually
arrived on the wrong one.

    Rene> NAT rules on ipsec0, br_int, or int)? It is also quite funny
    Rene> that, as you can see in the syslog output above, that the
    Rene> packet is marked is coming from br_ext instead of from
    Rene> ipsec0. On br_ext, it is only visible as ESP (which is
    Rene> correct).

  That is strange, I agree, and that would be the 
  I actually removed the trip through netfilter for outgoing plaintext
packets (%pass eroutes) from the 2.5 KLIPS, because of some issues.
  KLIPS should be making the packet arrive on the ipsec0 interface.
Can you enable rcv + verbose debugging in KLIPS?
  I haven't run much code on a 2.4 kernel base lately either.

    Rene> I'd happy about any advice. The changelog between 2.4.6
    Rene> (that's the KLIPS version currently in use) and 2.4.8 does not
    Rene> hint that this issue would be solved, and recompiling that
    Rene> particular kernel would be a major hassle, so I'd prefer to do
    Rene> it only sparingly.


- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list