On Tue, Nov 3, 2009 at 8:54 AM, Jari Laurila <jari.laurila@xxxxxxxxx> wrote:
> Don't anyone have any clues for the problem I sent to the list on sunday?
>
> I find it really strange that decrypted packets coming from ipsec
> tunnel with destination address xx.xx.xx.42 are sent through interface
> ext1 even though ip -s route get xx.xx.xx.42 says that packet should
> go through interface ext0b. Ipsec tunnel itself is going through
> inteface ext1 but shouldn't packets get routed after they come from
> tunnel? I even tried to look at kernel code to figure out why this
> happens but I don't know enough about kernel and my c skills are a bit
> lacking, so I couldn't find the cause.
>
Update Netfilter sees packet at mangle table in PREROUTING chain (I
added LOG rule), but nat table does not see the packet.
I also have fwd policy defined for the connection in question:
src srcip.srcip.srcip.secip/32 dst dstip.dstip.dstip.42/32
dir fwd priority 0
tmpl src gwip.gwip.gwip.gwip dst remgw.remgw.remgw.remgw
proto esp reqid 0 mode tunnel
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
