[Openswan dev] Problems with openswan and bridging
mcr at xelerance.com
Mon Jun 4 16:37:34 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Rene" == Rene Mayrhofer <rene.mayrhofer at gibraltar.at> writes:
Rene> master:~# cat /proc/net/ip_conntrack | grep icmp icmp 1 27
Rene> src=192.168.13.110 dst=192.168.10.130 type=8 code=0 id=512
Rene> [UNREPLIED] src=192.168.10.130 dst=192.168.13.110 type=0
Rene> code=0 id=512 use=1 mark=51
Rene> And this seems to be the main problem. Do you have any idea
Rene> why connection tracking may not recognize the ICMP replies,
Rene> although source and destination addresses match (there are no
Connection tracking is per-interface.
What I'm unclear about is if the packet that created the connection
went out through the same interface that the reply came back on?
I think it logically arrived on the right interface, but virtually
arrived on the wrong one.
Rene> NAT rules on ipsec0, br_int, or int)? It is also quite funny
Rene> that, as you can see in the syslog output above, that the
Rene> packet is marked is coming from br_ext instead of from
Rene> ipsec0. On br_ext, it is only visible as ESP (which is
That is strange, I agree, and that would be the
I actually removed the trip through netfilter for outgoing plaintext
packets (%pass eroutes) from the 2.5 KLIPS, because of some issues.
KLIPS should be making the packet arrive on the ipsec0 interface.
Can you enable rcv + verbose debugging in KLIPS?
I haven't run much code on a 2.4 kernel base lately either.
Rene> I'd happy about any advice. The changelog between 2.4.6
Rene> (that's the KLIPS version currently in use) and 2.4.8 does not
Rene> hint that this issue would be solved, and recompiling that
Rene> particular kernel would be a major hassle, so I'd prefer to do
Rene> it only sparingly.
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev