* masquerade & ipsec
@ 2006-07-01 22:57 Stephen Clark
2006-07-05 15:34 ` Patrick McHardy
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Clark @ 2006-07-01 22:57 UTC (permalink / raw)
To: netfilter-devel
Hello,
I am running kernel 2.6.16-1.2115_FC4 - I have network that looks like this:
FreeBSD FC-4
10.0.128.0/17 <-> 10.0.254.254-65.162.x.x ipsec tunnel
24.x.x.x-192.168.2.1 <-> 192.168.2.0/24
Some change recently caused masquerading to happen on my FC-4 box before
ipsec happens
so my packets from my 192.168.2.0/24 network have the source address
changed to my external interface address and don't get picked up by the
SA. If I turn off masquerading
then ipsec works again. I didn't use to have this problem.
Ideas?
TIA,
Steve
I
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: masquerade & ipsec
2006-07-01 22:57 masquerade & ipsec Stephen Clark
@ 2006-07-05 15:34 ` Patrick McHardy
[not found] ` <44ABE469.7000001@seclark.us>
0 siblings, 1 reply; 3+ messages in thread
From: Patrick McHardy @ 2006-07-05 15:34 UTC (permalink / raw)
To: Stephen.Clark; +Cc: netfilter-devel
Stephen Clark wrote:
> Hello,
>
> I am running kernel 2.6.16-1.2115_FC4 - I have network that looks like
> this:
>
> FreeBSD FC-4
> 10.0.128.0/17 <-> 10.0.254.254-65.162.x.x ipsec tunnel
> 24.x.x.x-192.168.2.1 <-> 192.168.2.0/24
>
> Some change recently caused masquerading to happen on my FC-4 box before
> ipsec happens
> so my packets from my 192.168.2.0/24 network have the source address
> changed to my external interface address and don't get picked up by the
> SA. If I turn off masquerading
> then ipsec works again. I didn't use to have this problem.
You can use the policy match to exclude the packets that should
be handled by IPsec from masquerading. Or simple do it by
address.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: masquerade & ipsec
[not found] ` <44ABE469.7000001@seclark.us>
@ 2006-07-05 16:51 ` Patrick McHardy
0 siblings, 0 replies; 3+ messages in thread
From: Patrick McHardy @ 2006-07-05 16:51 UTC (permalink / raw)
To: Stephen.Clark; +Cc: netfilter-devel
Stephen Clark wrote:
> Patrick McHardy wrote:
>
>> You can use the policy match to exclude the packets that should
>> be handled by IPsec from masquerading. Or simple do it by
>> address.
>>
>>
>>
> Thanks for the response.
>
> I figured out how to do during the time between my post 7/1/06 and when
> it showed on list 7/5/06 ( can anyone tell me why it takes so long for
> post to the netfilter-devel list, when I post to linux-kernel it shows
> up within a few minutes ).
As a non-subscriber your posts are held until the list moderator
approves them. Usually he's pretty quick.
> When I worked for Data General we used call this the UTF ( Universal
> Time Filter ) hopefully
> the customer had figured out his problem by the time we got back to him.
:)
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-07-05 16:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-01 22:57 masquerade & ipsec Stephen Clark
2006-07-05 15:34 ` Patrick McHardy
[not found] ` <44ABE469.7000001@seclark.us>
2006-07-05 16:51 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.