[Openswan Users]

Greg Scott GregScott at InfraSupportEtc.com
Sun Jul 23 09:43:54 CEST 2006 

> If you were getting the IPsec SA established, your kernel is probably
OK.
> There were some significant changes in the netfilter-ipsec interaction

> since 2.6.16. SNAT is rumoured to work properly now, for instance.

Thank you thank you thank you thank you thank you!!!!!

You guys were right - my kernel was OK.  Yup, 2.6.17 does behave
differently than the earlier kernels.  After sleeping a few hours a
re-reading your posts, I booted back ito 2.6.17.2 on both firewalls,
dropped all rules and turned on ip_forward.  My pings are pinging now.
I tell ya, its's a thing of beauty!  Just as you said, I was expecting
the firewalls to encrypt SNATed packets.  Duh!  

I can cobble together a working ruleset now thanks to your guidance.  I
think the netfilter guys had a way to mark incoming esp packets so they
could be tested later on afer reinjection.  I will look into that and if
I get somnething working I'll post it here.  

Here is how tcpdump output should look!  From the Roseville firewall,
with Roseville pinging Lakeville - eth1 inside, eth0 outside:

[root at roseville-fw gregs]# 
[root at roseville-fw gregs]# 
[root at roseville-fw gregs]# /usr/sbin/tcpdump -i eth1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
08:32:42.370142 IP 10.15.1.111 > 10.13.1.111: ICMP echo request, id 512,
seq 4881, length 40
08:32:42.371949 IP 10.13.1.111 > 10.15.1.111: ICMP echo reply, id 512,
seq 4881, length 40
08:32:43.369982 IP 10.15.1.111 > 10.13.1.111: ICMP echo request, id 512,
seq 5137, length 40
08:32:43.370915 IP 10.13.1.111 > 10.15.1.111: ICMP echo reply, id 512,
seq 5137, length 40
08:32:44.370021 IP 10.15.1.111 > 10.13.1.111: ICMP echo request, id 512,
seq 5393, length 40
08:32:44.371995 IP 10.13.1.111 > 10.15.1.111: ICMP echo reply, id 512,
seq 5393, length 40
08:32:45.370057 IP 10.15.1.111 > 10.13.1.111: ICMP echo request, id 512,
seq 5649, length 40
08:32:45.370976 IP 10.13.1.111 > 10.15.1.111: ICMP echo reply, id 512,
seq 5649, length 40
08:32:46.370095 IP 10.15.1.111 > 10.13.1.111: ICMP echo request, id 512,
seq 5905, length 40
08:32:46.370946 IP 10.13.1.111 > 10.15.1.111: ICMP echo reply, id 512,
seq 5905, length 40

10 packets captured
20 packets received by filter
0 packets dropped by kernel
[root at roseville-fw gregs]# 
[root at roseville-fw gregs]# /usr/sbin/tcpdump -i eth0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
08:32:52.370513 IP 71.216.115.33 > 209.130.212.154:
ESP(spi=0xca12f1f8,seq=0x382), length 100
08:32:52.372242 IP 209.130.212.154 > 71.216.115.33:
ESP(spi=0x7af42d2e,seq=0x382), length 100
08:32:52.372242 IP 10.13.1.111 > 10.15.1.111: ICMP echo reply, id 512,
seq 7441, length 40
08:32:53.370515 IP 71.216.115.33 > 209.130.212.154:
ESP(spi=0xca12f1f8,seq=0x383), length 100
08:32:53.371202 IP 209.130.212.154 > 71.216.115.33:
ESP(spi=0x7af42d2e,seq=0x383), length 100
08:32:53.371202 IP 10.13.1.111 > 10.15.1.111: ICMP echo reply, id 512,
seq 7697, length 40
08:32:54.370556 IP 71.216.115.33 > 209.130.212.154:
ESP(spi=0xca12f1f8,seq=0x384), length 100
08:32:54.372311 IP 209.130.212.154 > 71.216.115.33:
ESP(spi=0x7af42d2e,seq=0x384), length 100
08:32:54.372311 IP 10.13.1.111 > 10.15.1.111: ICMP echo reply, id 512,
seq 7953, length 40

9 packets captured
18 packets received by filter
0 packets dropped by kernel
[root at roseville-fw gregs]# 


- Greg

More information about the Users mailing list