ipsec on 2.6.16+ question
Gary W. Smith
gary at primeexalia.com
Mon Dec 18 10:39:22 CET 2006
What you have included below makes sense. I will take a look at getting
1.3.5 in place. Not sure how long that will take me though. The work
around in place is working for me (but I have some 30 entries in there
-- wide wan net of IPSEC firewalls).
I did read someone about using the policy modules BUT I couldn't find
any reference to what version it was in. Now I know :)
Gary Wayne Smith
> >Current working:
> >-A POSTROUTING -s 10.0.16.0/255.255.248.0 -d 10.0.32.0/255.255.255.0
> >eth1 -j ACCEPT
> >-A POSTROUTING -o eth1 -j MASQUERADE
> I havent't understood your message.
> Since 2.6.16 outgoing ipsec packets are seeing twice:
> clear & encrypted on the outgoing interface (which if
> I correctly understand is eth1 for you).
> You must upgrade to iptables >=1.3.5 and take a look
> for the new 'policy' match.
> Something like this should do the trick (linux will
> not snat packets which will be sent through the (any)
> ipsec tunnel(s)):
> $IPTABLES -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j
More information about the netfilter