[Openswan Users] Rhel 3 with natt patch?

Nicole Hähnel nicole.haehnel at epost.de
Tue Sep 14 13:13:28 CEST 2004


I have some admin pcs which need to be masqueraded.
So I added a new rule and disabled nat for ipsec destinations. (I'm 
using fwbuilder)

But the "errors" in ipsec verify are still there.

Paul Wouters wrote:

> On Tue, 14 Sep 2004, Nicole Hähnel wrote:
>> Checking NAT and MASQUERADEing
>> Checking tun0x1059 at xx.xx.xx.xx from xx.xx.xx.xx/24 to xx.xx.xx.xx/21 
>> SNAT from xx.xx.xx.xx to xx.xx.xx.xx/xx kills tunnel xx.xx.xx.xx -> 
>> xx.xx.xx.xx/21        [FAILED]
>> ... much more of these lines ...
> these are your problems. It seems you are NATing packets on that 
> machine, without
> excluding IPsec packets. So the IPsec packets that machine sends will 
> have a
> wrong digital signature and will be silently dropped by the other end.
>> What else can I do?
> Disable NAT/MASQ for IPsec destinations. I can't see your network IP's 
> because
> of your xx's but something like changing your NAT/MASQ rule to include a
> -d \! or similar will fix the problem.
> Paul

More information about the Users mailing list