On Fri, Jun 28, 2002 at 12:08:18PM +0100, Jarlath Burke was heard to remark:
> Hi,
> I've got a firewall box running IPSec and NAT, which masquerades my internal
> private subnet.
> I've found that I have to insert the following rule to my firewall before
> the masquerading
> rules to get traffic to flow over my VPN:
>
> iptables -t nat -I POSTROUTING 1 -o ipsec0 -j ACCEPT
>
> i.e., escape any IPSec traffic from being masqueraded.
>
> Can anyone explain why this is required? I don't understand how the original
> traffic
> coming from the private subnet could even reach the POSTROUTING table.
-- for what its worth, I run nat+ipsec and I don't need a rule like that.
But then, My rules are different.
I'm guessing that you've managed to masquerade the packets *before*
they enter the freeswan aparatus. Therefore, when the return packets
arrive and are decrypted, then iptables gets a crack at them, and decides
it 'knows' them, because it had previously masqueraded thier outgoing
cousins. That's my guess.
--linas
-- pub 1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org> PGP Key fingerprint = 8305 2521 6000 0B5E 8984 3F54 64A9 9A82 0104 5933 _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST