[Openswan Users] 26Sec to OpenSwan-1.0.3 dual-subnet routing
problem
Herbert Xu
herbert at gondor.apana.org.au
Mon Jun 14 19:09:21 CEST 2004
Please cc me when replying if you want me to read your message.
Charles Jones <linkst8.ipsec at scriptable.net> wrote:
> Back in the day, Herbert Xu said:
>> linkst8.ipsec at scriptable.net wrote:
>> >
>> > /usr/sbin/iptables -t nat -I POSTROUTING -o $EINT -d ! $gw -j MASQUERADE
>>
>> If this is the script on the 26sec machine then please try removing
>> the MASQUERADE rule. Applying MASQUERADE rules on a 26sec stack
>> to IPsec packets results in unexpected behaviour like this.
>
> Thanks for the suggestion, but the "!" in the above iptables statement
> is there to ensure that masquerading is not performed on the traffic
> from the listed ipsec gateway. Or am I mis-interpreting your advice?
Yes you're right. However, NATing with the new stack is so broken
that this may not be doing the right thing depending on whether it's
matchiing against the pre or post-encap packet.
Anyway, please check the following things:
1. Make sure that rpfilter is turned off on $EINT.
2. Make sure that your packet is not disappearing due to NATing
by doing 'grep 10.10.10 /proc/net/ip_conntrack'.
3. Make sure that the decrypted packet is arriving in the FORWARD table
by LOGging it.
4. Make sure that it is being accepted there.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Users
mailing list