Am Donnerstag, 21. April 2005 23:46 schrieben Sie:
> On Thu, Apr 21, 2005 at 04:40:16PM +0200, Wolfgang Walter wrote:
> > 10.148.0.0/23 dev eth2.1001 scope link src 10.148.0.1
> > 10.148.32.0/20 via 10.148.15.30 dev eth0.1014 src 10.148.15.29
> > default via 192.168.77.162 dev eth3 src 192.168.77.161
>
> Although you probably have rp_filter turned, but please check
>
> cat /proc/sys/net/ipv4/conf/eth3/rp_filter
>
> anway.
>
> > src 10.148.0.0/23 dst 10.0.25.210/32
> > dir fwd priority 0
>
> There you go. This policy trumps your other policy. This one
> says that forwarded traffic matching it must carry no tunnel
> IPsec transforms. Therefore all IPsec packets matching it will
> be dropped.
I don't understand that. 10.148.0.0/23 is 10.148.0.0-10.148.1.255, isn't it?
But 10.148.4.0/28 (is 10.148.4.0-10.148.4.15) is not within it.
>
> > src 10.148.4.0/28 dst 10.0.25.210/32
> > dir fwd priority 2084
> > tmpl src 192.168.9.237 dst 192.168.77.161
> > proto esp spi 0x00000000 reqid 16465 mode tunnel
>
> The reason it worked with the old setkey and 2.6.7* is that all
> forwarded traffic would've been allowed, regardless of whether
> they matched the IPsec policy or not.
>
> Cheers,
Greetings,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
Leopoldstraße 15
80802 München
|