[Openswan dev] Problems with masquerade and sourceip /32 netmask

Avesh Agarwal avagarwa at redhat.com
Tue Jul 6 18:56:05 EDT 2010

On 07/06/2010 05:31 PM, Tuomo Soini wrote:
> I can say using netmask of remote network for addsource() in
> _updown.netkey is totally broken idea.
> Think about vpn tunnel with rightsubnet= - that would give
> netmask of 0 for addsource. So idea is completely broken.
> Could you try this patch if this makes masquerade work as expected with
> /32 netmask.
> I'd generally say that masquerade to vpn tunnel is braindead idea and
> should not ever be done by default.
> If masquerade to vpn tunnel is wanted, it should ad least be especially
> donewith -m policy iptables moddule. And SNAT should be used instead of
Hello Tuomo,

Thanks. I will test it, and will let you know.

However, I had taken it from the KLIPS updown script, as you can see 
from the code segment below, then does it also require fixing?

         # Fix for Bug #66215 to solve SNAT/MASQUERADE problems with recent
         # 2.6.x kernels.
         # Instead of a /32 it seems better to use the netmask of the remote
         # (peer) network for the sourceip as suggested by Patrick McHardy.
         if test "${PLUTO_PEER_CLIENT}" != "${cidr}"
         if ! ip addr show dev ${PLUTO_INTERFACE%:*} | grep -qs "inet 
                 it="ip addr add ${snet} dev ${PLUTO_INTERFACE%:*}"

Thanks and Regards

More information about the Dev mailing list