[Openswan Users] Iptables problem (netkey)

Jean-Michel Caricand jean-michel.caricand at lifc.univ-fcomte.fr
Wed Jan 9 10:34:12 EST 2008

Le mercredi 9 janvier 2008 15:51, Nicole Hähnel a écrit :
> Hi,
> today we switched from klips to netkey on SLES10 SP1
>, openswan 2.4.11,
> because server crashes with ipsec module running.
> Until now we added iptables rules on interface ipsec0 to accept traffic
> between networks.
> Without an ipsec interface it's a little bit difficult to add rules.
> We tried:
> iptables -A FORWARD -s net1 -d net2 -m state --state NEW
> iptables -A FORWARD -s net2 -d net1 -m state --state NEW
> but it won't work.
> I only see:
> kernel: -- DENY IN=dsl0 OUT= MAC=xxxx SRC=xxx DST=xxx LEN=72 TOS=0x00
> PREC=0x00 TTL=57 ID=55683 PROTO=4
> Do I have to add a rule to allow PROTO 4?
> Thanks!
> Nicole
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


You can mark only ESP (proto 50) packets and after you can use rules on them.


iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1000
iptables -I INPUT -i eth0 -m mark --mark 1000 -p tcp --dport 22 -j ACCEPT


Jean-Michel Caricand
E-mail: jean-michel.caricand at lifc.univ-fcomte.fr

Equipe systèmes
Laboratoire d'Informatique de l'Université de Franche-Comté
16, route de Gray - 25030 BESANÇON CEDEX

More information about the Users mailing list