Looks like there is something going awry when 2.6, ipsec/openswan and iptables are combined. With further tinkering I was able to get ipsec working and masquerading working separately, however masquerading through ipsec still wouldnt work. Just to be clear, I used www.google.com instead of BoxC in the tests for which masquerading worked. Anyway, I've reverted to a 2.4 kernel now and everything seems to be working nicely. I dont mind running some tests with my 2.6 setup if anyone is interested though... Andrew On Sat, 8 Jan 2005 11:03:22 +0100, Andrew Beekhof <beekhof@xxxxxxxxx> wrote: > On Fri, 7 Jan 2005 16:12:38 -0600, Trevor Cordes <trevor@xxxxxxxxxxxxx> wrote: > > > I'm having some difficulties getting masquerading to work and hoping > > > for some pointers... > > > > I can try to help. But you'll need to better describe your network > > layout. Can you draw a little diagram showing where A, B & C are? > > Sure, A & B are connected directly to a netgear DSL modem/hub. C is > part of my company's network which I'm accessing over the internet > with ipsec. I've also tried replacing C with google.com (after > specifying an appropriate routing rule) with no success. > > Does that clear things up? > > > > > Are you sure that BoxC doesn't have some firewall on (XP SP2) that is > > eating the ping packets? > > XP? God no! All the machines are linux boxes running either SLES9 or > Gentoo :) No firewall on B or C. > > From what I can tell, the packets from BoxB are getting lost on BoxA. > I just tried using telnet and tcpdump and although I get logs like > this: > > Jan 8 08:35:55 BoxA IN=eth0 OUT=eth0 SRC=192.168.9.22 DST=10.10.2.86 > LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=48952 DF PROTO=TCP SPT=34452 > DPT=69 WINDOW=3840 RES=0x00 SYN URGP=0 > > ... the packets never actually arrive at BoxC (10.10.2.86). I dont > think they ever leave BoxA but I'm not sure I understand the tcpdump > output enough to say for sure. > > A dump of my iptables in case it helps... > > mayo linux # iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > LOG all -- anywhere anywhere LOG level warning > MASQUERADE all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > mayo linux # iptables -L -t filter > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > mayo linux # iptables -L -t mangle > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > LOG all -- anywhere anywhere LOG level debug > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination >
