Hi,
currently I'm using kernel 2.6.18.1 on one of my computers. The router acts as
an ipsec endpoint and masquerades all packets received via IPSEC.
Today I replaced the local ethernet interface by a bridged interface by
combining the ethernet interface with a tap interface. I changed the
interface names in my iptables-based firewall to match the new bridge
interface name and did not change anything else.
Unfortunately, the kernel does not encrypt incoming packages any more. tcpdump
reveals, that all received replies (I tested it with ping) are forwarded
unencrypted, because they are visible on my firewall instead of being
encrypted. Is this a known problem? Is bridging and IPSEC (maybe with
masquerading) currently not supported? Or should I forward this issue to
another mailing list?
regards,
Jörg
>
>Unfortunately, the kernel does not encrypt incoming packages any more. tcpdump
>reveals, that all received replies (I tested it with ping) are forwarded
>unencrypted, because they are visible on my firewall instead of being
>encrypted. Is this a known problem? Is bridging and IPSEC (maybe with
>masquerading) currently not supported? Or should I forward this issue to
>another mailing list?
Sounds like those packets are bridged rather than routed (or so it
sounds). See if that's the case. Check
http://www.imagestream.com/~josh/PacketFlow-new.png for details.
You could try `ebtables -t broute -j DROP` to force all packets to be
routed.
-`J'
--
Am Dienstag, 31. Oktober 2006 09:30 schrieb Jan Engelhardt:
Hi,
> Sounds like those packets are bridged rather than routed (or so it
> sounds). See if that's the case. Check
> http://www.imagestream.com/~josh/PacketFlow-new.png for details.
It looks like my router is able to re-map its IP to the corresponding private
IP but then this packet is bridged instead of routed (or encrypted).
Unfortunately, IPSEC routing is not listet in this image.
> You could try `ebtables -t broute -j DROP` to force all packets to be
> routed.
I tried
ebtables -t broute -A BROUTING -p ipv4 --ip-destination 192.168.0.0/16 -j DROP
but this does not change anything (192.168.0.0/16 is my private, masqueraded
network). But nothing changed. I'm thinking about replacing my IPSEC VPN
with an openvpn tunnel. Maybe then I'll have less problems.
regards,
J?rg
--
PGP Key: send mail with subject 'SEND PGP-KEY' PGP Key-ID: FD 4E 21 1D
PGP Fingerprint: 388A872AFC5649D3 BCEC65778BE0C605
