Re: [Ipsec-tools-devel] ipsec breaks after upgrading to kernel 2.6.16

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Matthew Schumacher wrote:
> Ok, so I have this ipsec tunnel all is well, I upgrade to 2.6.16 to get
> some of these new ipsec features (netfilter related) and find that my
> packets are no longer matching my policy.
> 
> I have this defined in my ipsec.conf file:
> 
> #!/usr/sbin/setkey -f
> #
> # Flush SAD and SPD
> flush;
> spdflush;
> 
> # omit local traffic from ipsec
> spdadd 192.168.1.0/24 192.168.1.0/24 any -P out none;
> spdadd 192.168.1.0/24 192.168.1.0/24 any -P in none;
> 
> # Ipsec policies
> spdadd 192.168.1.0/24 192.168.0.0/16 any -P out ipsec
> esp/tunnel/x.x.x.x-y.y.y.y/require;
> spdadd 192.168.0.0/16 192.168.1.0/24 any -P in ipsec
> esp/tunnel/y.y.y.y-x.x.x.x/require;
> 
> But for some reason after the kernel upgrade the packets are being sent
> to the default gateway instead of matching the policy and being sent
> though the tunnel which according to setkey -D is up.
> 
> Anyone have any thoughts on this?

Most likely related to the netfilter changes in 2.6.16. Netfilter now
sees the packets before and after the transforms and gets a chance to
change the policy in POSTROUTING by SNATing. Check your SNAT rules
to make sure they don't change the source address to something not
covered by the policy.