Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261944AbTHTMLo (ORCPT ); Wed, 20 Aug 2003 08:11:44 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261945AbTHTMLo (ORCPT ); Wed, 20 Aug 2003 08:11:44 -0400 Received: from werbeagentur-aufwind.com ([217.160.128.76]:31444 "EHLO mail.werbeagentur-aufwind.com") by vger.kernel.org with ESMTP id S261944AbTHTMLn (ORCPT ); Wed, 20 Aug 2003 08:11:43 -0400 Subject: Re: [OT] Connection tracking for IPSec From: Christophe Saout To: Felipe Alfaro Solana Cc: LKML In-Reply-To: <1061378568.668.9.camel@teapot.felipe-alfaro.com> References: <1061378568.668.9.camel@teapot.felipe-alfaro.com> Content-Type: text/plain Message-Id: <1061381498.4210.16.camel@chtephan.cs.pocnet.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4 Date: Wed, 20 Aug 2003 14:11:38 +0200 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1829 Lines: 40 Am Mi, 2003-08-20 um 13.22 schrieb Felipe Alfaro Solana: > When using IPSec, if I open up protocols 50 and 51, all IPSec-protected > traffic passes through the firewall, but it's not checked against the > connection tracking module. How can I configure iptables so an > IPSec-protected packet, after being classified as IP protocol 50 or 51, > loop back one more time to pass through the connection tracking module? You're saying it's not honouring the netfilter rules at all? I'm having a related problem here. I switched my small home server/router to the 2.6 kernel and switched from klips(freeswan) to the new in-kernel ipsec. Racoon is working fine as keying daemon but the netfilter rules don't work anymore. I'm using it to encrypt between a single server in the internet (not a network) and my router at home. I want it to masquerade the traffic from my internal home network to the other machine, just like if there was no encrypted path. It doesn't work. The traffic from my internal network goes out masqueraded but unencrypted and the other machine answers, but encrypted, and on the return path my router at home throws the packet away because it doesn't know what to do with that packet. With klips it was possible to apply netfilter rules before and after the packets got encrypted, because there was an additional virtual device (ipsec0) that catches the traffic before encryption (or after decryption). -- Christophe Saout Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/