On Tue, Nov 3, 2009 at 8:54 AM, Jari Laurila <jari.laurila@xxxxxxxxx> wrote: > Don't anyone have any clues for the problem I sent to the list on sunday? > > I find it really strange that decrypted packets coming from ipsec > tunnel with destination address xx.xx.xx.42 are sent through interface > ext1 even though ip -s route get xx.xx.xx.42 says that packet should > go through interface ext0b. Ipsec tunnel itself is going through > inteface ext1 but shouldn't packets get routed after they come from > tunnel? I even tried to look at kernel code to figure out why this > happens but I don't know enough about kernel and my c skills are a bit > lacking, so I couldn't find the cause. > Update Netfilter sees packet at mangle table in PREROUTING chain (I added LOG rule), but nat table does not see the packet. I also have fwd policy defined for the connection in question: src srcip.srcip.srcip.secip/32 dst dstip.dstip.dstip.42/32 dir fwd priority 0 tmpl src gwip.gwip.gwip.gwip dst remgw.remgw.remgw.remgw proto esp reqid 0 mode tunnel -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html