[Openswan Users] GRE and routing
Michael Jurney
mikej at datasynapse.com
Wed Oct 5 14:37:52 CEST 2005
I'm still working on trying to get broadcast packets flowing across two
openswan gateways. I've got gre-through-ipsec configured correctly, and
unicast traffic is moving without problems. There are two cases that
don't work...
subnet1: 172.16.8.0/24
subnet2: 172.16.32.0/24
Incomplete replies: If I get on a maching on subnet1 and ping
172.16.32.255, traffic goes through the tunnel, and a machine on subnet2
answers back. The ICMP reply packet traverses the gre-in-ipsec tunnel
back to the originating gateway, however it never makes it to eth1 for
delivery to the ethernet segment. A tcpdump on the GRE tunnel interface
shows the de-encapsulated packet, but a tcpdump of eth1 shows nothing.
Failure to rebroadcast: If I send packets to 172.16.8.255 on the
machine on subnet1, they hit the gateway machine, and match the
following iptables DNAT rule:
iptables -A PREROUTING -d 172.16.8.255 -i eth1 -j DNAT --to-destination
172.16.32.255
The rewritten packets never hit the tunnel0 interface for encapsulation,
even if I change the DNAT target to a unicast address and put a static
route for that destination pointing to the tunnel0 interface.
It seems to me that these are two faces of the same problem, but I can't
find a resolution. Any ideas?
--
Michael D. Jurney
Sysadmin, DataSynapse
mikej at datasynapse.com
p: 212.842.8860
View the DataSynapse email disclaimer here:
<http://www.datasynapse.com/legal/emailprivacy.jsp>
More information about the Users
mailing list