[Openswan Users] Rhel 3 with natt patch?

Paul Wouters paul at xelerance.com
Tue Sep 14 11:28:24 CEST 2004


On Tue, 14 Sep 2004, Nicole Hähnel wrote:

> Checking NAT and MASQUERADEing
> Checking tun0x1059 at xx.xx.xx.xx from xx.xx.xx.xx/24 to xx.xx.xx.xx/21 [FAILED]
> SNAT from xx.xx.xx.xx to xx.xx.xx.xx/xx kills tunnel xx.xx.xx.xx -> 
> xx.xx.xx.xx/21        [FAILED]
> ... much more of these lines ...

these are your problems. It seems you are NATing packets on that machine, without
excluding IPsec packets. So the IPsec packets that machine sends will have a
wrong digital signature and will be silently dropped by the other end.

> What else can I do?

Disable NAT/MASQ for IPsec destinations. I can't see your network IP's because
of your xx's but something like changing your NAT/MASQ rule to include a
-d \! 10.0.0.0/8 or similar will fix the problem.

Paul


More information about the Users mailing list