[Openswan Users] Local esp packets are dropped on ipsec device when marking packets in OUTPUT chain
Paul Wouters
paul at xelerance.com
Thu Apr 22 10:42:05 EDT 2010
On Thu, 22 Apr 2010, Wolfgang Nothdurft wrote:
> Since I use policy based routing with fwmark and ip rules, I have a
> problem with dropped esp packets on the ipsec device.
>
> When marking packets in the output chain like
>
> iptables -t mangle -A OUTPUT -j MARK --or-mark 0x1
>
> the esp packets are rerouted due to the mark change and appears on the
> ipsec device, where they are dropped with the following error:
>
> klips_debug:ipsec_xmit_encap_bundle: shunt SA of DROP or no eroute:
> dropping.
>
> I' wondering if nobody else have this problem or if no one has a similar
> setup.
>
> I have reported the bug including a patch at
> https://gsoc.xelerance.com/issues/1095
I looked at the patch, but it seemed wrong to blindly pass all ESP/AH
packets. I'll take a closer look at the issue.
Paul
> Wolfgang
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list