On Tue, 2004-01-27 at 18:21, Ville Nuorvala wrote: > On Tue, 27 Jan 2004, Andreas Jellinghaus wrote: > > > my plan is to not have a default route on the underlying interface - > > it is a wireless lan segment, not routed, all I do is ping, ssh and > > build up an ipsec tunnel (ike, and ip6ip6 packets). > > So you want to run transport mode ipsec over the ip6ip6 tunnel interface, > am I right? Can't you just run tunnel mode ipsec on your wlan without the > tunnel interface, or do you need it to bind to etc? if I run tunnel mode, then the decrypted and the encrypted version of the package have both "wlan0" as incoming interface on the gateway, making it impossible for iptables to differenciate. the fix is either to use fwmark on the encrypted package and later decide by mark, or to use an ip6ip6 interface, so I can filter by incoming interface wlan0 vs. "ip6sec0" (or "ip6ip6" or whatever I call it). I haven't tried fwmark so far. > > started racoon on the client. it was a wierd testing cycle, so I guess > > i can't reproduce it. But my normal setup gives me about 20-50 Call > > Traces during the boot sequence. Once someone has found those issues > > and fixed them, I will run bigger tests again. Right now with still so > > many xfrm related problems testing is a bit pointless. > > Ok, let me know if you manage to get a better crash dump. ok, Andreas - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
