Re: Ipsec/L2tp with NETKEY

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eray Aslan <eray.aslan@caf.com.tr>
To: Martin <martin.listz@gmail.com>, netfilter@vger.kernel.org
Subject: Re: Ipsec/L2tp with NETKEY
Date: Mon, 06 Jul 2009 10:04:23 +0300	[thread overview]
Message-ID: <4A51A1F7.2050206@caf.com.tr> (raw)
In-Reply-To: <114b7d1a0907052027y1204f945s4d9b5ea7032d6b13@mail.gmail.com>

On 06.07.2009 06:27, Martin wrote:
> 2009/7/4 Eray Aslan <eray.aslan@caf.com.tr <mailto:eray.aslan@caf.com.tr>>
> 
>     On 04.07.2009 03:21, Martin wrote:
>     [...]
>     > Any suggestions how to let connections on udp 1701 only to connections
>     > before authenticated by ipsec?
> 
>     On the openswan machine, mark the ESP packets and accept only marked
>     packets to l2tpd daemon:
> 
>     # iptables -t mangle -A PREROUTING -i $EXT_INT -p 50 -j MARK
>     --set-mark 1
>     # iptables -A INPUT -i $EX_INT -m mark --mark 1 -j ACCEPT
>     # iptables -A INPUT -i $EX_INT -p udp --dport 1701 -j DROP
>
> Thanks for the reply Eray.
> 
> Sadly, that doesn't seems to work, or at least I don't see any packet
> been mark using "iptables -L -n -v -t mangle"
> 
> Can be there something else or anything that I'm missing?

Better to reply on-list.  Others might help / correct the given advice.

If counters do not increase, you need to figure out why esp packets do
not match the marking line.  Perhaps try logging all packets in
mangle/PREROUTING for a short while and compare.

-- 
Eray

     prev parent reply	other threads:[~2009-07-06  7:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-07-04  0:21 Ipsec/L2tp with NETKEY Martin
2009-07-04  4:14 ` Eray Aslan
     [not found]   ` <114b7d1a0907052027y1204f945s4d9b5ea7032d6b13@mail.gmail.com>
2009-07-06  7:04     ` Eray Aslan [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A51A1F7.2050206@caf.com.tr \
    --to=eray.aslan@caf.com.tr \
    --cc=martin.listz@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.