Re: [Ipsec-tools-devel] ipsec breaks after upgrading to kernel 2.6.16

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 23 Mar 2006, Matthew Schumacher wrote:

> Ok, so I have this ipsec tunnel all is well, I upgrade to 2.6.16 to get
> some of these new ipsec features (netfilter related) and find that my
> packets are no longer matching my policy.
>
> I have this defined in my ipsec.conf file:
>
> #!/usr/sbin/setkey -f
> #
> # Flush SAD and SPD
> flush;
> spdflush;
>
> # omit local traffic from ipsec
> spdadd 192.168.1.0/24 192.168.1.0/24 any -P out none;
> spdadd 192.168.1.0/24 192.168.1.0/24 any -P in none;
>
> # Ipsec policies
> spdadd 192.168.1.0/24 192.168.0.0/16 any -P out ipsec
> esp/tunnel/x.x.x.x-y.y.y.y/require;
> spdadd 192.168.0.0/16 192.168.1.0/24 any -P in ipsec
> esp/tunnel/y.y.y.y-x.x.x.x/require;
>
> But for some reason after the kernel upgrade the packets are being sent
> to the default gateway instead of matching the policy and being sent
> though the tunnel which according to setkey -D is up.

Probably a NAT issue. Kernels starting from 2.6.16 are able to deal with=20
nat+ipsec, you need to match ipsec traffic with -m policy and add rules=20
to prevent nating.

Best regards,

 =09=09=09=09=09Krzysztof Ol=EAdzki