[Fwd: Openswan, iptables (fiaif) and 2.6.16 kernel problem]
Anders Peter Fugmann
email hidden
Sun Apr 23 13:02:37 CEST 2006
Laurent CARON wrote:
<cut>
>
> Here is the answer from the kernel team:
>
> No, it isn't a normal behaviour.
> Patrick Mchardy ipsec patches were integrated in 2.6.16 and now
> netfilter properly sees both esp & clear packets. This is a
> drawback of your firewall/snat rules.
>
> Adding it to fiaif.conf solves the problem (post start script):
>
> iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -d 192.168.10.0/24 -j
> ACCEPT
I guess that this is currently the only way to handle Ipsec packets.
Reading up on the subject, I guess that Fiaif in its current form is not
geared to handle ipsec packets, and as such the solution given seems
like the best workaround.
Could I ask you to try and replace the inserted rule with:
iptables -t nat -I POSTROUTING -m policy --pol ipsec -j ACCEPT
The documentation is somewhat sparse on the subject, but from what I can
read this rule should catch all packets that are to be encapsulated by
ipsec and then not nat these.
If the rule works, I will change FIAIF to have this rule by default in
the postrouting chain.
In Fiaif2 (which is progressing nicely, but still far away) I will allow
for VPN zones which only matches packets in clear text (before
encapsulation / after decapsulation). This way ipsec packets can be
handled in a generic way, from a user perspective.
Regards
Anders Fugmann
More information about the fiaif
mailing list