[Openswan Users] Openswan, iptables (fiaif) and 2.6.16 kernel

Marco Berizzi pupilla at hotmail.com
Fri Apr 14 17:09:17 CEST 2006


Laurent CARON wrote:

>Marco Berizzi wrote:
>>Laurent CARON wrote:
>>
>>>192.168.0.0/24 is my lan subnet (natted so that lan computers can
>>access
>>>the internet through the public ip address)
>>>192.168.0.192 is a workstation on my lan
>>>192.168.10.0/24 is the other subnet
>>
>>try this on the 2.6.16 gateway:
>>
>>iptables -t nat -I POSTROUTING -s 192.168.0.0/24
>>-d 192.168.10.0/24 -j ACCEPT
>>
>>OR
>>
>>iptables -t nat -I POSTROUTING -m policy
>>--dir out --pol ipsec -j ACCEPT
>>
>>PS: you must upgrade to iptables 1.3.5
>>
>
>
>Is it a normal behavior that it stops working when upgrading from 2.6.15 to 
>2.6.16?

No, it isn't a normal behaviour.
Patrick Mchardy ipsec patches were integrated in 2.6.16 and now
netfilter properly sees both esp & clear packets. This is a
drawback of your firewall/snat rules.




More information about the Users mailing list