Received: with ECARTIS (v1.0.0; list netdev); Thu, 21 Apr 2005 14:50:02 -0700 (PDT) Received: from arnor.apana.org.au (arnor.apana.org.au [203.14.152.115]) by oss.sgi.com (8.12.10/8.12.10/SuSE Linux 0.7) with ESMTP id j3LLnudD007856 for ; Thu, 21 Apr 2005 14:49:57 -0700 Received: from gondolin.me.apana.org.au ([192.168.0.6] ident=mail) by arnor.apana.org.au with esmtp (Exim 3.35 #1 (Debian)) id 1DOjVM-0002NP-00; Fri, 22 Apr 2005 07:46:36 +1000 Received: from herbert by gondolin.me.apana.org.au with local (Exim 3.36 #1 (Debian)) id 1DOjV4-0007ox-00; Fri, 22 Apr 2005 07:46:18 +1000 Date: Fri, 22 Apr 2005 07:46:18 +1000 To: Wolfgang Walter Cc: netdev@oss.sgi.com Subject: Re: Problem with IPSEC tunnel mode Message-ID: <20050421214618.GA29991@gondor.apana.org.au> References: <200504211640.16742.wolfgang.walter@studentenwerk.mhn.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200504211640.16742.wolfgang.walter@studentenwerk.mhn.de> User-Agent: Mutt/1.5.6+20040907i From: Herbert Xu X-Virus-Scanned: ClamAV 0.83/848/Thu Apr 21 12:37:33 2005 on oss.sgi.com X-Virus-Status: Clean X-archive-position: 208 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: herbert@gondor.apana.org.au Precedence: bulk X-list: netdev Content-Length: 1179 Lines: 35 On Thu, Apr 21, 2005 at 04:40:16PM +0200, Wolfgang Walter wrote: > > 10.148.0.0/23 dev eth2.1001 scope link src 10.148.0.1 > 10.148.32.0/20 via 10.148.15.30 dev eth0.1014 src 10.148.15.29 > default via 192.168.77.162 dev eth3 src 192.168.77.161 Although you probably have rp_filter turned, but please check cat /proc/sys/net/ipv4/conf/eth3/rp_filter anway. > src 10.148.0.0/23 dst 10.0.25.210/32 > dir fwd priority 0 There you go. This policy trumps your other policy. This one says that forwarded traffic matching it must carry no tunnel IPsec transforms. Therefore all IPsec packets matching it will be dropped. > src 10.148.4.0/28 dst 10.0.25.210/32 > dir fwd priority 2084 > tmpl src 192.168.9.237 dst 192.168.77.161 > proto esp spi 0x00000000 reqid 16465 mode tunnel The reason it worked with the old setkey and 2.6.7* is that all forwarded traffic would've been allowed, regardless of whether they matched the IPsec policy or not. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt