[Openswan Users] Forwrward decripted traffic with NETKEY

Ales Klok orrie at seznam.cz
Mon Jun 11 11:16:15 EDT 2007


davor krabse wrote:
> I used the following commands:
>
> iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1
> iptables -t nat -A PREROUTING -m mark --mark 1 -p udp --dport 1701 -j DNAT 
> --to 192.168.147.11
>
> but with:
>
> iptables -L -vn -t nat
> iptables -L -vn -t mangle
>
> the nr of packets and bytes is 0, although the IPSEC between client and 
> linux vpn server is established.
>
> Davor
>   

That's odd. If the first rule is not hit at all it means no ESP packet 
enter iptables. Either it is discarded prior to iptables (unlikely) or 
no ESP packet reach that interface. Check ESP traffic with "tcpdump -i 
<ext_iface> ip proto 50 -v" to see if there is any.
/ak


More information about the Users mailing list