[Openswan Users] FC6 iptables problem

Paul Wouters paul at xelerance.com
Fri Mar 23 00:12:52 EDT 2007

On Thu, 22 Mar 2007, Xunhua Wang wrote:

> > You must allow all decrypted packets, which means using the MARK facility
> > to mark the encrypted packets, and then using the mark to ACCEPT them
> > after decryption. This is due to netkey not having seperate interfaces.
> What commands should I use? With the following command to mark ESP packets?
> iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50

> How to accept them after decryption?

iptables -A INPUT -m mark --mark 50 -j ACCEPT

> One weird thing is that I do _not_ have to do this on our RedHat Enterprise
> Linux 4 box ("Linux Openswan U2.4.5/K2.6.9-5.ELsmp (netkey)"), which has
> iptables v1.2.11. What makes FC6 different? (The FC6 box has iptables
> v1.3.5)

The amount of changes to the XFRM and the NAT subsystem between 2.6.9 and
2.6.20 are huge. Patrick McHardy's code changed a lot.

> > did you run ipsec verify ?
> Yes. The output is as follows, which looks normal.


Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list