[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 18 Oct 2005, Robin Cornelius wrote:
With KLIPS ipsec stack (kernel 2.6.X +) this approach can no longer work. What happens is the ESP packet appears on eth1 is decoded by the kernel then injected back into the input of eth1 so the reject all rules will then reject the decoded data.The most effective solution I have found is packet marking using the iptables trafic shaping rules, i cheated a bit and used shorewall to do some of this so you will have to cross reference this with the iptables man page but i marked all packets of type ESP on my eth0 (my incomming port) with a 1, specificly I added this to /etc/shorewall/tcrules
Aah OK - I think I get you, I'll have a go with that later on.
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER 1:P ppp0 0.0.0.0/0 ESP 1:F ppp0 0.0.0.0/0 ESP 1 $FW 0.0.0.0/0 ALL
That reminds me of another question that's occoured while playing with openswan - why is running ppp necesessary now? Again, before in the pre 2.6 days my ipsec tunnel did everything I needed it to. I'd rather not have to complicate things by running ppp as well.
Cheers for the hints! Alex. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html