Begin forwarded message:
Date: Fri, 14 Apr 2006 14:32:39 +0200 From: Laurent CARON <[EMAIL PROTECTED]> To: linux-kernel@vger.kernel.org Subject: Openswan, iptables (fiaif) and 2.6.16 kernel Hi, I'm running an openswan gateway for quite a long time now. I have used 2.4.X and 2.6.X kernels without any problem until i decided to upgrade to 2.6.16 kernel. Summary of problem: Under 2.6.15 everything is fine Under 2.6.16 my tunnels establish well, but i can't even ping a single computer located on the other end of the tunnel when the firewall is up. Disabling the firewall solves the problem (but is not an option for me). $ cat ip_conntrack | grep 192.168.10 icmp 1 8 src=192.168.0.192 dst=192.168.10.1 type=8 code=0 id=793 packets=4 bytes=116 [UNREPLIED] src=192.168.10.1 dst=XXX.XXX.XXX.XXX type=0 code=0 id=793 packets=0 bytes=0 mark=0 use=1 192.168.0.0/24 is my lan subnet (natted so that lan computers can access the internet through the public ip address) 192.168.0.192 is a workstation on my lan 192.168.10.0/24 is the other subnet XXX.XXX.XXX.XXX is my public ip address If i disable the nat of 192.168.0.0/24, i can ping the other end. Re-enabling the nat however disables the ability to ping the other end. Seems iptables is trying to nat packets the wrong way :$, or that I missed a major change in 2.6.16. Do anyone have any clue about this weiredness? Thanks Laurent _______________________________________________ [EMAIL PROTECTED] http://lists.openswan.org/mailman/listinfo/users Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
