[Openswan Users] Tunnels come up, but not all traffic goesthrough

Jacco de Leeuw jacco2 at dds.nl
Thu Jun 10 17:35:47 CEST 2004


Nate Carlson wrote:

> Just for the sake of reference, how would you, for example, tag all data 
> that is coming in via IPSec and going out to your internal network (eth1)? 
> With klips, it's easy:
> 
> iptables -I FORWARD -i ipsec0 -o eth1 <...>
> 
> With 26sec, I'm not aware of a way to do it besides tagging on IP address; 
> the hard part is you don't always know the remote IP (roadwarriors and 
> such). If there is a simple way to do it, I'd love to hear about it!

I don't know if you can use this but Chris Andrews wrote that he uses fwmark.

   Marks applied to encrypted packets remain set on the unencrypted packets,
   and we can use this to determine which packets arrived via the IPSec SA. The
   'mark' is internal to the kernel, and can't be set on packets outside of the
   system, so it's safe to use this match.

   iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
   iptables -A INPUT -i eth0 -m mark --mark 1 -j ACCEPT

http://www.funknet.org/doc/tunnel/l2tp.html
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list