Yevgeny Kosarzhevsky a écrit : > Pascal Hambourg wrote: >> Yevgeny Kosarzhevsky a écrit : >> >>> I have two interfaces, let's say ppp0 - x.x.x.x, ppp1 - y.y.y.y ppp0 is >>> a default gateway. >>> I use some command to change routing to IP z.z.z.z via ppp1: >>> ip ro ad to z.z.z.z dev ppp1 >>> >>> I have SNAT rules for both interfaces, however, I notice with tcpdump >>> that outgoing packets are still using x.x.x.x instead of y.y.y.y IP, >>> though packets are being sent with the correct interface (ppp1) >>> >>> I have shut down ppp0 and removed SNAT rule for it, but outgoing packets >>> are still showing x.x.x.x IP. Even, ip ro fl cache didn't help. >>> >> If the packets belong to an existing connection (conntrack-wise) which >> was established before the route change, this behaviour is expected. >> Changing the source address may break the connection. > > I have this trouble for new ipsec connections. I change route on my > gateway and then trying to establish ipsec connection. I see on the > gateway with tcpdump that the address of outgoing packets are still > belong to old interface. Is the new IPSec connection to the same destination address ? If so, then the connection tracking and NAT system may consider it is the same connection and uses the same NAT mapping as before. Did you wait until the old IPSec conntrack entry expires (check in /proc/net/nf_conntrack) or try to delete it with the conntrack tool ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
