RE: ipsec on 2.6.16+ question

["Gary W. Smith" <gary@primeexalia.com>]

Marco,

What you have included below makes sense.  I will take a look at getting
1.3.5 in place.  Not sure how long that will take me though.  The work
around in place is working for me (but I have some 30 entries in there
-- wide wan net of IPSEC firewalls).

I did read someone about using the policy modules BUT I couldn't find
any reference to what version it was in.  Now I know :)

Thanks, 

Gary Wayne Smith

> >Current working:
> >-A POSTROUTING -s 10.0.16.0/255.255.248.0 -d 10.0.32.0/255.255.255.0
-o
> >eth1 -j ACCEPT
> >-A POSTROUTING -o eth1 -j MASQUERADE
> 
> I havent't understood your message.
> Since 2.6.16 outgoing ipsec packets are seeing twice:
> clear & encrypted on the outgoing interface (which if
> I correctly understand is eth1 for you).
> You must upgrade to iptables >=1.3.5 and take a look
> for the new 'policy' match.
> Something like this should do the trick (linux will
> not snat packets which will be sent through the (any)
> ipsec tunnel(s)):
> 
> $IPTABLES -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j
> ACCEPT
> 
>