> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Allain Yoann > Sent: mercredi 6 avril 2005 10:54 > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: 26sec+forwarding, bug or PEBKAC? > > On Tue, 31 Mar 2005 22:16:40, rsnel at cube.dyndns.org wrote > > >Hello list, > > > >I hope this is the right list, as my problem appears to be about both > >iptables and (native (as in: managed with setkey)) IPSec. > > > >Short version: > > > >packets from ipsec tunnel seem to get lost before they enter the the > >FORWARD chain with kernel 2.6.11. There is no problem with 2.6.8-2-k6 > >(Debian kernel with 26sec) and there is no problem with ipsec turned > >off. > > ... > >This happens with linux-2.6.11 (vanilla). The ping works if IPSec is > >turned off (i.e. setkey -F -P on cube and toppie). And it also works > >in 2.4.27-2-k6 (a Debian kernel (which has 26sec patched in)). > > > >So, is it a bug, feature, or just misconfiguration? Can you reproduce? > >I would appreciate any insight on this problem. > > > >Thanks. > > > >Greetings, > > > >Rik. > > Hello Rik, > > I got the same problem, with the same kernel version. So I'm asking you > if you resolved it and if someone of the kernel has been awared of this > problem. > I've tried to debug it with an UML version but didn't succeed. > > Greetz > > Yoann Hi again, I solved the problem: Since the kernel 2.6.10, we must set a "fwd" policy in the same way we did for the "in" policy on each host-end of the tunnel. I just found one reference on the web: http://www.ipsec-howto.org/x277.html (one line in the middle) I hope others newbies like me won't lose too much time on it... Yoann
