[Fwd: Openswan, iptables (fiaif) and 2.6.16 kernel problem]
Laurent CARON
email hidden
Mon Apr 24 01:13:56 CEST 2006
Anders Peter Fugmann wrote:
> Laurent CARON wrote:
> <cut>
>>
>> Here is the answer from the kernel team:
>>
>> No, it isn't a normal behaviour.
>> Patrick Mchardy ipsec patches were integrated in 2.6.16 and now
>> netfilter properly sees both esp & clear packets. This is a
>> drawback of your firewall/snat rules.
>>
>> Adding it to fiaif.conf solves the problem (post start script):
>>
>> iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -d 192.168.10.0/24 -j
>> ACCEPT
>
> I guess that this is currently the only way to handle Ipsec packets.
>
> Reading up on the subject, I guess that Fiaif in its current form is not
> geared to handle ipsec packets, and as such the solution given seems
> like the best workaround.
>
> Could I ask you to try and replace the inserted rule with:
>
> iptables -t nat -I POSTROUTING -m policy --pol ipsec -j ACCEPT
>
I'm under debian SID, and iptables is only 1.3.3.
This (iptables -t nat -I POSTROUTING -m policy --pol ipsec -j ACCEPT)
requires iptables >= 1.3.5
Laurent
More information about the fiaif
mailing list