From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: SNAT with ipsec => return packets not de-natted Date: Wed, 04 Nov 2009 13:27:21 +0100 Message-ID: <4AF17329.7010506@trash.net> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: Jari Laurila Cc: netfilter@vger.kernel.org Jari Laurila wrote: > On Tue, Nov 3, 2009 at 8:54 AM, Jari Laurila wrote: >> Don't anyone have any clues for the problem I sent to the list on sunday? >> >> I find it really strange that decrypted packets coming from ipsec >> tunnel with destination address xx.xx.xx.42 are sent through interface >> ext1 even though ip -s route get xx.xx.xx.42 says that packet should >> go through interface ext0b. Ipsec tunnel itself is going through >> inteface ext1 but shouldn't packets get routed after they come from >> tunnel? I even tried to look at kernel code to figure out why this >> happens but I don't know enough about kernel and my c skills are a bit >> lacking, so I couldn't find the cause. >> > > Update Netfilter sees packet at mangle table in PREROUTING chain (I > added LOG rule), but nat table does not see the packet. > > I also have fwd policy defined for the connection in question: > > src srcip.srcip.srcip.secip/32 dst dstip.dstip.dstip.42/32 > dir fwd priority 0 > tmpl src gwip.gwip.gwip.gwip dst remgw.remgw.remgw.remgw > proto esp reqid 0 mode tunnel Try adding a TRACE rule to see how the packet traverses the netfilter hooks.