On Thu, Apr 21, 2005 at 04:40:16PM +0200, Wolfgang Walter wrote:
>
> 10.148.0.0/23 dev eth2.1001 scope link src 10.148.0.1
> 10.148.32.0/20 via 10.148.15.30 dev eth0.1014 src 10.148.15.29
> default via 192.168.77.162 dev eth3 src 192.168.77.161
Although you probably have rp_filter turned, but please check
cat /proc/sys/net/ipv4/conf/eth3/rp_filter
anway.
> src 10.148.0.0/23 dst 10.0.25.210/32
> dir fwd priority 0
There you go. This policy trumps your other policy. This one
says that forwarded traffic matching it must carry no tunnel
IPsec transforms. Therefore all IPsec packets matching it will
be dropped.
> src 10.148.4.0/28 dst 10.0.25.210/32
> dir fwd priority 2084
> tmpl src 192.168.9.237 dst 192.168.77.161
> proto esp spi 0x00000000 reqid 16465 mode tunnel
The reason it worked with the old setkey and 2.6.7* is that all
forwarded traffic would've been allowed, regardless of whether
they matched the IPsec policy or not.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
|