[Openswan Users] FC6 iptables problem
paul at xelerance.com
Fri Mar 23 00:12:52 EDT 2007
On Thu, 22 Mar 2007, Xunhua Wang wrote:
> > You must allow all decrypted packets, which means using the MARK facility
> > to mark the encrypted packets, and then using the mark to ACCEPT them
> > after decryption. This is due to netkey not having seperate interfaces.
> What commands should I use? With the following command to mark ESP packets?
> iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
> How to accept them after decryption?
iptables -A INPUT -m mark --mark 50 -j ACCEPT
> One weird thing is that I do _not_ have to do this on our RedHat Enterprise
> Linux 4 box ("Linux Openswan U2.4.5/K2.6.9-5.ELsmp (netkey)"), which has
> iptables v1.2.11. What makes FC6 different? (The FC6 box has iptables
The amount of changes to the XFRM and the NAT subsystem between 2.6.9 and
2.6.20 are huge. Patrick McHardy's code changed a lot.
> > did you run ipsec verify ?
> Yes. The output is as follows, which looks normal.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users