[Openswan Users] Openswan, iptables (fiaif) and 2.6.16 kernel

Marco Berizzi pupilla at hotmail.com
Fri Apr 14 17:09:17 CEST 2006

Laurent CARON wrote:

>Marco Berizzi wrote:
>>Laurent CARON wrote:
>>> is my lan subnet (natted so that lan computers can
>>>the internet through the public ip address)
>>> is a workstation on my lan
>>> is the other subnet
>>try this on the 2.6.16 gateway:
>>iptables -t nat -I POSTROUTING -s
>>-d -j ACCEPT
>>iptables -t nat -I POSTROUTING -m policy
>>--dir out --pol ipsec -j ACCEPT
>>PS: you must upgrade to iptables 1.3.5
>Is it a normal behavior that it stops working when upgrading from 2.6.15 to 

No, it isn't a normal behaviour.
Patrick Mchardy ipsec patches were integrated in 2.6.16 and now
netfilter properly sees both esp & clear packets. This is a
drawback of your firewall/snat rules.

More information about the Users mailing list