Jari Laurila wrote: > On Tue, Nov 3, 2009 at 8:54 AM, Jari Laurila <jari.laurila@xxxxxxxxx> wrote: >> Don't anyone have any clues for the problem I sent to the list on sunday? >> >> I find it really strange that decrypted packets coming from ipsec >> tunnel with destination address xx.xx.xx.42 are sent through interface >> ext1 even though ip -s route get xx.xx.xx.42 says that packet should >> go through interface ext0b. Ipsec tunnel itself is going through >> inteface ext1 but shouldn't packets get routed after they come from >> tunnel? I even tried to look at kernel code to figure out why this >> happens but I don't know enough about kernel and my c skills are a bit >> lacking, so I couldn't find the cause. >> > > Update Netfilter sees packet at mangle table in PREROUTING chain (I > added LOG rule), but nat table does not see the packet. > > I also have fwd policy defined for the connection in question: > > src srcip.srcip.srcip.secip/32 dst dstip.dstip.dstip.42/32 > dir fwd priority 0 > tmpl src gwip.gwip.gwip.gwip dst remgw.remgw.remgw.remgw > proto esp reqid 0 mode tunnel Try adding a TRACE rule to see how the packet traverses the netfilter hooks. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html