Re: ipsec on 2.6.16+ question

["Marco Berizzi" <pupilla@hotmail.com>]

Gary W. Smith wrote:

>Hello,
>
>I've upgraded one of our old firewalls from RHEL4 to RPATH 1.0.5
>(2.6.16).  We moved the firewall script directly from the old firewall
>to the new one and everything appeared to work except IPSEC, which
>failed.  It appears that it's no longer honoring the -p ! esp portion
of
>the postrouting.  I'm not sure if this is or is not standard behavior
or
>not or if there is a better way of doing what I'm doing below.  We have
>additional IP's beyond what's listed below (some public, some not)
which
>would require multiple lines for this.
>
>Original:
>
>-A POSTROUTING -o eth1 -p ! esp -j MASQUERADE
>
>Current working:
>-A POSTROUTING -s 10.0.16.0/255.255.248.0 -d 10.0.32.0/255.255.255.0 -o
>eth1 -j ACCEPT
>-A POSTROUTING -o eth1 -j MASQUERADE

I havent't understood your message.
Since 2.6.16 outgoing ipsec packets are seeing twice:
clear & encrypted on the outgoing interface (which if
I correctly understand is eth1 for you).
You must upgrade to iptables >=1.3.5 and take a look
for the new 'policy' match.
Something like this should do the trick (linux will
not snat packets which will be sent through the (any)
ipsec tunnel(s)):

$IPTABLES -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j
ACCEPT