* IPSEC and bridged interfaces
@ 2006-10-30 16:29 Joerg Platte
2006-10-31 8:30 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Joerg Platte @ 2006-10-30 16:29 UTC (permalink / raw)
To: linux-kernel
Hi,
currently I'm using kernel 2.6.18.1 on one of my computers. The router acts as
an ipsec endpoint and masquerades all packets received via IPSEC.
Today I replaced the local ethernet interface by a bridged interface by
combining the ethernet interface with a tap interface. I changed the
interface names in my iptables-based firewall to match the new bridge
interface name and did not change anything else.
Unfortunately, the kernel does not encrypt incoming packages any more. tcpdump
reveals, that all received replies (I tested it with ping) are forwarded
unencrypted, because they are visible on my firewall instead of being
encrypted. Is this a known problem? Is bridging and IPSEC (maybe with
masquerading) currently not supported? Or should I forward this issue to
another mailing list?
regards,
Jörg
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: IPSEC and bridged interfaces
2006-10-30 16:29 IPSEC and bridged interfaces Joerg Platte
@ 2006-10-31 8:30 ` Jan Engelhardt
2006-10-31 16:19 ` Joerg Platte
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2006-10-31 8:30 UTC (permalink / raw)
To: jplatte; +Cc: linux-kernel
>
>Unfortunately, the kernel does not encrypt incoming packages any more. tcpdump
>reveals, that all received replies (I tested it with ping) are forwarded
>unencrypted, because they are visible on my firewall instead of being
>encrypted. Is this a known problem? Is bridging and IPSEC (maybe with
>masquerading) currently not supported? Or should I forward this issue to
>another mailing list?
Sounds like those packets are bridged rather than routed (or so it
sounds). See if that's the case. Check
http://www.imagestream.com/~josh/PacketFlow-new.png for details.
You could try `ebtables -t broute -j DROP` to force all packets to be
routed.
-`J'
--
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: IPSEC and bridged interfaces
2006-10-31 8:30 ` Jan Engelhardt
@ 2006-10-31 16:19 ` Joerg Platte
0 siblings, 0 replies; 3+ messages in thread
From: Joerg Platte @ 2006-10-31 16:19 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: linux-kernel
Am Dienstag, 31. Oktober 2006 09:30 schrieb Jan Engelhardt:
Hi,
> Sounds like those packets are bridged rather than routed (or so it
> sounds). See if that's the case. Check
> http://www.imagestream.com/~josh/PacketFlow-new.png for details.
It looks like my router is able to re-map its IP to the corresponding private
IP but then this packet is bridged instead of routed (or encrypted).
Unfortunately, IPSEC routing is not listet in this image.
> You could try `ebtables -t broute -j DROP` to force all packets to be
> routed.
I tried
ebtables -t broute -A BROUTING -p ipv4 --ip-destination 192.168.0.0/16 -j DROP
but this does not change anything (192.168.0.0/16 is my private, masqueraded
network). But nothing changed. I'm thinking about replacing my IPSEC VPN
with an openvpn tunnel. Maybe then I'll have less problems.
regards,
Jörg
--
PGP Key: send mail with subject 'SEND PGP-KEY' PGP Key-ID: FD 4E 21 1D
PGP Fingerprint: 388A872AFC5649D3 BCEC65778BE0C605
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-10-31 16:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-30 16:29 IPSEC and bridged interfaces Joerg Platte
2006-10-31 8:30 ` Jan Engelhardt
2006-10-31 16:19 ` Joerg Platte
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox