Re: SNAT with ipsec => return packets not de-natted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 3, 2009 at 8:54 AM, Jari Laurila <jari.laurila@xxxxxxxxx> wrote:
> Don't anyone have any clues for the problem I sent to the list on sunday?
>
> I find it really strange that decrypted packets coming from ipsec
> tunnel with destination address xx.xx.xx.42 are sent through interface
> ext1 even though ip -s route get xx.xx.xx.42 says that packet should
> go through interface ext0b. Ipsec tunnel itself is going through
> inteface ext1 but shouldn't packets get routed after they come from
> tunnel? I even tried to look at kernel code to figure out why this
> happens but I don't know enough about kernel and my c skills are a bit
> lacking, so I couldn't find the cause.
>

Update Netfilter sees packet at mangle table in PREROUTING chain (I
added LOG rule), but nat table does not see the packet.

I also have fwd policy defined for the connection in question:

src srcip.srcip.srcip.secip/32 dst dstip.dstip.dstip.42/32
        dir fwd priority 0
        tmpl src gwip.gwip.gwip.gwip dst remgw.remgw.remgw.remgw
                proto esp reqid 0 mode tunnel
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux