On Mon, 4 Feb 2008 10:48:51 +0100 "Marco Berizzi" <pupilla@xxxxxxxxxxx> wrote: > RUMI Szabolcs wrote: > > > iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -d 164.99.192.0/22 -j > SNAT --to-source 164.99.195.8 > > > The IP address in --to-source 164.99.195.8 is the one that was > > dynamically allocated by the remote corporate VPN concentrator > > (not under my control) at the time I've tested the setup. > > > I cannot make an iproute2 dump because I'm using the oldskool > > which ike/ipsec implementation are you using? On the kernel level I'm using the one that comes with the 2.6 kernel, so USAGI I guess. On the userspace level I'm using ipsec-tools-0.6.3_turnpike which is a special version maintained by Novell that allows us to use their proprietary Nortel Contivity binary IPsec plugins which are needed to connect to the corporate VPN. It is using some nasty non-standard proprietary authentication mechanism in order to be non-compatible with free implementations but I doubt that my problem is caused by this. http://forge.novell.com/modules/xfcontent/downloads.php/turnpike/ipsec-tools-0.6.3/ > > and goes through iptables and gets NATed in the POSTROUTING > > chain it goes straight out to eth0 and it does not get > > reevaluated whether it should be handled by IPsec. > > mhhh which kernel version? To be exact it's 2.6.22-gentoo-r9 from Gentoo Linux. You can find patch information here: http://dev.gentoo.org/~dsd/genpatches/patches-2.6.22-9.htm Thanks! Best regards, Sab - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
