[Openswan Users] 26Sec to OpenSwan-1.0.3 dual-subnet routing problem

Charles Jones linkst8.ipsec at scriptable.net
Mon Jun 14 20:26:56 CEST 2004


Back in the day, Herbert Xu said:
> Since NAT is currently broken wrt IPsec, this may change in future.
> 
> The ordering is currently (assuming forwarded packet in tunnel mode)
> 
> PREROUTING -> INPUT -> IPsec -> PREROUTING -> FORWARD

That actually clears up quite a bit for me.  I appreciate it.  I've
written a much cleaner firewall script from that, and everything
still seems to work as it did before.

Unfortunately, I still can't get the 2nd network behind the remote
ipsec gateway to route.

On another note, you mentioned to watch ip_conntrack to verify that
my ipsec traffic is not being masqueraded, but regardless of what
I've tried, any TCP traffic I send over these connections still shows
up in there.  I am not sure how bad that is, but everything (with
exception of the second network behind that ipsec gw) works, and I'm
sending no unencrypted traffic between gateways.

I am thinking my problem is related to using Jay's Firewall.  I am
going to get rid of it, and go back to writing my own standalone
firewalling script so that I know everything that's going on behind
the curtains.  As soon as I've done that, I'll see if anything
changes.

Thanks,

-- 
For a copy of my public key, send an email to gpgkeys _at_ scriptable _dot_ net with "send pgp key" in the subject.

Linux: Because rebooting is for adding new hardware.


More information about the Users mailing list