Fwd: Re: [Openswan Users] Cannot ping hosts behind OpenSWAN host

Paul Wouters paul at xelerance.com
Thu Feb 23 18:08:12 CET 2006


On Tue, 21 Feb 2006, Jason Martin wrote:

> Linux Openswan U2.4.5rc4/K2.6.9-22.0.2.EL (netkey)

> I am using Centos 4.2 with the stock 2.6.9 kernel, are there any issues with
> that kernel at this time?

2.6.9 is way too old and buggy when using netkey.

> I do believe that the iptable rules are not configured correctly for this
> setup, and I have not been able to find any reference as to how they should
> be set up for forwarding packets from openswan to the internal network on a
> 2.6 kernel without an ipsec0 interface, and unfortunately I do not have
> enough experience with iptables to set proper rules up. So any help with that
> would be greatly appreciated.

The easiest is to exclude NAT/MASQ for the ranges that are covered by IPsec
tunnels. Another way to distinguish is using the iptables MARK feature. This
has been discussed various times and should appear in the archive.

(or alternatively you can read it in the openswan book, see footer)

But I recommend a kernel that is 2.6.11 or higher

Paul


More information about the Users mailing list