Hi all I'm running IPSec tunnel mode between host 'A' running 2.6.12.5 and host 'B' running 2.6.11.10. 'A' is behind a NAT. I have one problem but the stuff that's working correctly is the following : 1. racoon sets up the IPSec SA on demand. IKE messages are all NAT-T encapsulated and I used tcpdump on both ends to verify that KeepAlive messages go out and are NAT-T encapsulated 2. ESP encrypt/decrypt seems to be fine. From 'A' I ping 'B' and I see the encrypted Echo response come back to 'A'. It gets decrypted and tcpdump shows that the plaintext pkt is re-injected back into the stack. PROBLEM: The plaintext echo response does not make it to the ICMP layer or to the ping program. DIAGNOSIS: 0. /proc/sys/net/ipv4/ip_forward is 1 on both hosts 1. I did 'iptables --flush' ; 'iptables --list' shows no rules 2. setkey.conf has a 'require' rule for in and out. No 'fwd' rule racoon.conf has 'generate_policy on' QUESTION: 1. If I have no netfilter rules, this can't be a firewall issue right ? I saw some mail about marking the ESP pkt in the mangle table but none of that should apply since I have disabled my firewall right ? 2. The stack accepts and decrypts the ESP pkt. but the 'require' rule should force it to throw away all cleartext pkts correct ? If this is true, how can IPSec ever work ? What am I missing ??? Thanks -gopal - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
