Package: fiaif Version: 1.20.1-2 Severity: important
Hi, I'm running an openswan gateway for quite a long time now. I have used 2.4.X and 2.6.X kernels without any problem until i decided to upgrade to 2.6.16 kernel. Summary of problem: Under 2.6.15 everything is fine Under 2.6.16 my tunnels establish well, but i can't even ping a single computer located on the other end of the tunnel when the firewall is up. Disabling the firewall solves the problem (but is not an option for me). $ cat ip_conntrack | grep 192.168.10 icmp 1 8 src=192.168.0.192 dst=192.168.10.1 type=8 code=0 id=793 packets=4 bytes=116 [UNREPLIED] src=192.168.10.1 dst=XXX.XXX.XXX.XXX type=0 code=0 id=793 packets=0 bytes=0 mark=0 use=1 192.168.0.0/24 is my lan subnet (natted so that lan computers can access the internet through the public ip address) 192.168.0.192 is a workstation on my lan 192.168.10.0/24 is the other subnet XXX.XXX.XXX.XXX is my public ip address If i disable the nat of 192.168.0.0/24, i can ping the other end. Re-enabling the nat however disables the ability to ping the other end. Seems iptables is trying to nat packets the wrong way :$, or that I missed a major change in 2.6.16. ******************************************* Here is the answer from the kernel team: No, it isn't a normal behaviour. Patrick Mchardy ipsec patches were integrated in 2.6.16 and now netfilter properly sees both esp & clear packets. This is a drawback of your firewall/snat rules. Adding it to fiaif.conf solves the problem (post start script): iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -d 192.168.10.0/24 -j ACCEPT -- Package-specific info: -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16-a7n-v3 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages fiaif depends on: hi bash 3.0-15 The GNU Bourne Again SHell hi coreutils 5.2.1-2.1 The GNU core utilities ii cron 3.0pl1-94 management of regular background p ii debconf [debconf-2.0] 1.4.72 Debian configuration management sy ii debianutils 2.15.5 Miscellaneous utilities specific t ii dnsutils 1:9.3.2-2 Clients provided with BIND ii grep 2.5.1.ds2-4 GNU grep, egrep and fgrep ii iptables 1.3.3-2 Linux kernel 2.4+ iptables adminis ii logtail 1.2.43a Print log file lines that have not ii net-tools 1.60-17 The NET-3 networking toolkit ii sed 4.1.4-7 The GNU sed stream editor hi wget 1.10.1-1 retrieves files from the web fiaif recommends no packages. -- debconf information: fiaif/cron_logfile: * fiaif/warning: * fiaif/enable_cron: false * fiaif/enable_initd: true -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
