Hi This is a known problem with netfilter and 2.6 and ipsec with the native stack, there are fixs in pom-ng (Patch o matic), but this means building your own kernel as it patches the kernel and the netfilter modules. Not to bad though, been doing this for a while and haven't had any majour problems Alex On Fri, Sep 03, 2004 at 07:01:41PM +0200, Alain RICHARD wrote: > Hi, > > we are using iptables and ipsec since several years now (starting with > freeswan 1.0) without too much problems. We have now upgraded to the > 2.6 kernel (under Fedora 2) and Openswan 2.x. > > Our setup works perfectly, with several dozens of tunnels up and > running. We have avoided the lake of ipsec0 interface by marking > packets (in fact this is great solution that enable us to separate > completely the firewall settings from the vpn tunnels). > > The problem I am encountering now is that it seems that DNAT is not > working when the d-natted session is from a tunneled site. My settup is > : > > > 192.168.1.0/24 local intranet > 192.168.2.0/24 distant intranet > > the ipsec tunnel is setup from distant to local in order to get all the > traffic passing into the local firewall (192.168.2.0/24 -> 0.0.0.0/0). > > This works perfectly and all the traffic either intranet or internet > pass thru the local firewall. > > The problem now is that I want now to redirect the web traffic to squid > using a classical transparent proxying : > > iptables -t nat -A PREROUTING -p tcp --dport 80 -m mark --mark > 0x50010000/0xFFFF0000 -j DNAT --to 192.168.1.99:3128 > > for an unknown reason, this is not working. On the 192.168.1.99 host, I > see the connexion arriving but not correctly coming up : > > tethereal host 192.168.2.18 > 0.256680 192.168.2.18 -> 192.168.1.99 TCP 1166 > http [SYN] Seq=0 > Ack=0 Win=64512 Len=0 MSS=1260 > 0.256718 192.168.1.99 -> 192.168.2.18 TCP http > 1166 [SYN, ACK] > Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 > 0.442346 192.168.2.18 -> 192.168.1.99 TCP 1024 > http [RST] Seq=0 > Ack=0 Win=0 Len=0 > > the last line RST seams not to be issued by the 192.168.2.18 host, but > probably by the firewall/VPN gateway. I have also tried to set > /proc/sys/net/ipv4/conf/*/rp_filter to 0, but the problem is the same. > > the same setup was correctly working under a kernel 2.4, so I think the > problem is about natting the vpn connexion. > > Is there any problem like this under the current 2.6.8 kernel ? Do you > have any idea to try to bypass the problem ? > > ------------------------------------------------------- > Alain RICHARD <mailto:alain.richard@xxxxxxxxxxx> > EQUATION SA <http://www.equation.fr/> > Tel : +33 477 79 48 00 Fax : +33 477 79 48 01 > Applications client/serveur, ing?nierie r?seau et Linux > >
Attachment:
signature.asc
Description: Digital signature
