[Openswan Users] 26Sec to OpenSwan-1.0.3 dual-subnet routing problem

Alexander Samad alex at samad.com.au
Wed Jun 16 13:07:55 CEST 2004 

Charles

I have had similiar problems, my current solution is to patch the
current debian kernel (2.6.5 & 2.6.6) with POM-NG from the netfilger team.  There are 4 netfilter patches that address IPSEC + NAT


If you are happy with building a kernel and patching you might want to
give it a try.

Alex

On Mon, Jun 14, 2004 at 07:26:56PM -0400, Charles Jones wrote:
> Back in the day, Herbert Xu said:
> > Since NAT is currently broken wrt IPsec, this may change in future.
> > 
> > The ordering is currently (assuming forwarded packet in tunnel mode)
> > 
> > PREROUTING -> INPUT -> IPsec -> PREROUTING -> FORWARD
> 
> That actually clears up quite a bit for me.  I appreciate it.  I've
> written a much cleaner firewall script from that, and everything
> still seems to work as it did before.
> 
> Unfortunately, I still can't get the 2nd network behind the remote
> ipsec gateway to route.
> 
> On another note, you mentioned to watch ip_conntrack to verify that
> my ipsec traffic is not being masqueraded, but regardless of what
> I've tried, any TCP traffic I send over these connections still shows
> up in there.  I am not sure how bad that is, but everything (with
> exception of the second network behind that ipsec gw) works, and I'm
> sending no unencrypted traffic between gateways.
> 
> I am thinking my problem is related to using Jay's Firewall.  I am
> going to get rid of it, and go back to writing my own standalone
> firewalling script so that I know everything that's going on behind
> the curtains.  As soon as I've done that, I'll see if anything
> changes.
> 
> Thanks,
> 
> -- 
> For a copy of my public key, send an email to gpgkeys _at_ scriptable _dot_ net with "send pgp key" in the subject.
> 
> Linux: Because rebooting is for adding new hardware.
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20040616/7aabc226/attachment.bin

More information about the Users mailing list