Re: SNAT with ipsec => return packets not de-natted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jari Laurila wrote:
> On Tue, Nov 3, 2009 at 8:54 AM, Jari Laurila <jari.laurila@xxxxxxxxx> wrote:
>> Don't anyone have any clues for the problem I sent to the list on sunday?
>>
>> I find it really strange that decrypted packets coming from ipsec
>> tunnel with destination address xx.xx.xx.42 are sent through interface
>> ext1 even though ip -s route get xx.xx.xx.42 says that packet should
>> go through interface ext0b. Ipsec tunnel itself is going through
>> inteface ext1 but shouldn't packets get routed after they come from
>> tunnel? I even tried to look at kernel code to figure out why this
>> happens but I don't know enough about kernel and my c skills are a bit
>> lacking, so I couldn't find the cause.
>>
> 
> Update Netfilter sees packet at mangle table in PREROUTING chain (I
> added LOG rule), but nat table does not see the packet.
> 
> I also have fwd policy defined for the connection in question:
> 
> src srcip.srcip.srcip.secip/32 dst dstip.dstip.dstip.42/32
>         dir fwd priority 0
>         tmpl src gwip.gwip.gwip.gwip dst remgw.remgw.remgw.remgw
>                 proto esp reqid 0 mode tunnel

Try adding a TRACE rule to see how the packet traverses the netfilter
hooks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux