26sec+forwarding, bug or PEBKAC?

Allain Yoann Yoann.Allain at thomson.net
Wed Apr 6 14:36:10 CEST 2005

> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org [mailto:netfilter-
> bounces at lists.netfilter.org] On Behalf Of Allain Yoann
> Sent: mercredi 6 avril 2005 10:54
> To: netfilter at lists.netfilter.org
> Subject: Re: 26sec+forwarding, bug or PEBKAC?
> On Tue, 31 Mar 2005 22:16:40, rsnel at cube.dyndns.org wrote
> >Hello list,
> >
> >I hope this is the right list, as my problem appears to be about both
> >iptables and (native (as in: managed with setkey)) IPSec.
> >
> >Short version:
> >
> >packets from ipsec tunnel seem to get lost before they enter the the
> >FORWARD chain with kernel 2.6.11. There is no problem with 2.6.8-2-k6
> >(Debian kernel with 26sec) and there is no problem with ipsec turned
> >off.
> >


> >This happens with linux-2.6.11 (vanilla). The ping works if IPSec is
> >turned off (i.e. setkey -F -P on cube and toppie). And it also works
> >in 2.4.27-2-k6 (a Debian kernel (which has 26sec patched in)).
> >
> >So, is it a bug, feature, or just misconfiguration? Can you
> >I would appreciate any insight on this problem.
> >
> >Thanks.
> >
> >Greetings,
> >
> >Rik.
> Hello Rik,
> I got the same problem, with the same kernel version. So I'm asking
> if you resolved it and if someone of the kernel has been awared of
> problem.
> I've tried to debug it with an UML version but didn't succeed.
> Greetz
> Yoann

Hi again,

I solved the problem:
Since the kernel 2.6.10, we must set a "fwd" policy in the same way we
did for the "in" policy on each host-end of the tunnel.

I just found one reference on the web:
http://www.ipsec-howto.org/x277.html (one line in the middle)

I hope others newbies like me won't lose too much time on it...


More information about the netfilter mailing list