[Openswan Users] Rhel 3 with natt patch?
Nicole Hähnel
nicole.haehnel at epost.de
Tue Sep 14 13:13:28 CEST 2004
Hi,
I have some admin pcs which need to be masqueraded.
So I added a new rule and disabled nat for ipsec destinations. (I'm
using fwbuilder)
But the "errors" in ipsec verify are still there.
Paul Wouters wrote:
> On Tue, 14 Sep 2004, Nicole Hähnel wrote:
>
>> Checking NAT and MASQUERADEing
>> Checking tun0x1059 at xx.xx.xx.xx from xx.xx.xx.xx/24 to xx.xx.xx.xx/21
>> [FAILED]
>> SNAT from xx.xx.xx.xx to xx.xx.xx.xx/xx kills tunnel xx.xx.xx.xx ->
>> xx.xx.xx.xx/21 [FAILED]
>> ... much more of these lines ...
>
>
> these are your problems. It seems you are NATing packets on that
> machine, without
> excluding IPsec packets. So the IPsec packets that machine sends will
> have a
> wrong digital signature and will be silently dropped by the other end.
>
>> What else can I do?
>
>
> Disable NAT/MASQ for IPsec destinations. I can't see your network IP's
> because
> of your xx's but something like changing your NAT/MASQ rule to include a
> -d \! 10.0.0.0/8 or similar will fix the problem.
>
> Paul
More information about the Users
mailing list