[Top] [All Lists]

Re: Problem with IPSEC tunnel mode

To: Wolfgang Walter <>
Subject: Re: Problem with IPSEC tunnel mode
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 22 Apr 2005 07:46:18 +1000
Cc: netdev@xxxxxxxxxxx
In-reply-to: <>
References: <> <>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
On Thu, Apr 21, 2005 at 04:40:16PM +0200, Wolfgang Walter wrote:
> dev eth2.1001  scope link  src
> via dev eth0.1014  src
> default via dev eth3  src

Although you probably have rp_filter turned, but please check

cat /proc/sys/net/ipv4/conf/eth3/rp_filter


> src dst 
>       dir fwd priority 0 

There you go.  This policy trumps your other policy.  This one
says that forwarded traffic matching it must carry no tunnel
IPsec transforms.  Therefore all IPsec packets matching it will
be dropped.

> src dst 
>       dir fwd priority 2084 
>       tmpl    src dst
>               proto esp spi 0x00000000 reqid 16465 mode tunnel

The reason it worked with the old setkey and 2.6.7* is that all
forwarded traffic would've been allowed, regardless of whether
they matched the IPsec policy or not.

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page:
PGP Key:

<Prev in Thread] Current Thread [Next in Thread>