Hi again, Lots of experiments later, but still no luck.... > >> xt_esp generates debug output if you have "printk" sysctl set to show it. > >How would I do so? I never used sysctl for anything but enabling ip > >forwarding.... > sysctl -w kernel.printk="7 7 7 7" I did. And I tried # echo "7 7 7 7" > /proc/sys/kernel/printk Nothing appears on `dmesg`. Also I noticed that xt_esp was not loaded automatically. I had to load it using `insmod`. Still no output. But note, that I could not use -m esp --espspi either, see below. > ># iptables -t mangle -A PREROUTING -p esp --spi 0xcdfebb11 -j MARK > >--set-mark 1 iptables v1.4.12: Gives: unknown option "--spi" > --espspi per manpage. -m esp --espspi XXXXX Or -m polixy --spi XXXXX --dir in The later does not match, but I cannot even get the former one to be accepted: # iptables -t mangle -D PREROUTING -p esp -m esp --espspi 0xcde0e1ca -j MARK --set-mark 1 iptables: No chain/target/match by that name. # iptables -t mangle -D PREROUTING -p esp --espspi 0xcde0e1ca -j MARK --set-mark 1 iptables: No chain/target/match by that name. # iptables -t mangle -D PREROUTING -m esp --espspi 0xcde0e1ca -j MARK --set-mark 1 iptables: No chain/target/match by that name. Is there a way to find out what's wrong here? > Why don't you try --espspi 0xc4b51d18 for a change, since that is (one value) > from those obtained from ip x s. --espspi does not work at all - iptables complains, see above. Also, I tried -m polixy --spi XXXX -dir in for all spi codes I could find anywhere - it never matched.. BTW: If matching the SPI is a problem, I would prefer matching reqid anyway. But for now it would suffice to match any of those. I am really stuck here. Any hints are still welcome. Also I would be glad, if I could chat with someone using msn messenger or mirc or anything. I could also provide ssh root access to these machines... Regards, Steffen
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
