[Openswan Users] 26Sec to OpenSwan-1.0.3 dual-subnet routing
problem
Herbert Xu
herbert at gondor.apana.org.au
Mon Jun 14 09:29:50 CEST 2004
linkst8.ipsec at scriptable.net wrote:
>
> /usr/sbin/iptables -t nat -I POSTROUTING -o $EINT -d ! $gw -j MASQUERADE
If this is the script on the 26sec machine then please try removing
the MASQUERADE rule. Applying MASQUERADE rules on a 26sec stack
to IPsec packets results in unexpected behaviour like this.
Beware that even after you remove the entry, you should check
/proc/net/ip_conntrack has expired before pinging again. It
can take anywhere from 1 minute to 10 minutes depending on the
type of traffic. Alternatively you can reboot the machine to
clear the conntrack table.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Users
mailing list