Re: kernel routing of IPSec / VMWare

Re: kernel routing of IPSec / VMWare

[Petr Vandrovec]

On  4 Jun 02 at 1:19, Brian C. Huffman wrote:
> 
> The way that we have checkpoint setup it is doing UDP encapsulation of
> the IPSec (otherwise it would not be possible to do this w/ NAT).  This
> is with all the latest 2.4 kernels (haven't tried 2.4.19, though). 

Can't you push packets over your eth0 MTU with this encapsulation?
It would be useful if you could do 'tcpdump -i vmnet8 & tcpdump -i eth0'
or 'tcpdump -i any' to find what's going on.
                                                    Petr Vandrovec
                                                    vandrove@vc.cvut.cz

P.S.: Did you tried to ask in VMware newsgroups?
                                                    

kernel routing of IPSec / VMWare

[Brian C. Huffman]

All, 

This may not be the place, but I've been struggling w/ a problem w/
VMWare for quite some time.  Their support has not been helpful and I
have not found anything by searching the net.  

Is there some reason that linux does not route all IPSec traffic?  I've
tried NATing using both IPtables and using the new built-in NAT that
comes with the latest versions of VMWare and I can never get it to work
w/ CheckPoint's SecurRemote product.  When I do a "bridged" ethernet (in
VMWare), it always works.  Looking at the packets, it seems as though it
might not be passing some of the ESP packets.  

The way that we have checkpoint setup it is doing UDP encapsulation of
the IPSec (otherwise it would not be possible to do this w/ NAT).  This
is with all the latest 2.4 kernels (haven't tried 2.4.19, though). 

Any suggestions would be helpful. 

Thanks, 
Brian