From here: http://article.gmane.org/gmane.comp.security.firewalls.netfilter.devel/8369 It seems that no progress has been made on the issue with bridging and IPsec policy match? I have a gateway where br0 is the local network and eth1 is the public net. Under 2.6.11, the gateway can reach remote ,IPsec-tunneled, networks, but not the local network. Under 2.6.9, I have no issues. (This is with the 5 IPsec patches and policy applied.) Since I really need this to work, because I want to use the new provider''s support, I''m wondering if there is a workaround? Can I apply connmark/track/etc to 2.6.9? Anyone have experience with this? Thank you, A. -- Adam Sherman Technologist ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
On 7/12/05, Adam Sherman <carbon60@gmail.com> wrote:> Since I really need this to work, because I want to use the new > provider''s support, I''m wondering if there is a workaround? Can I > apply connmark/track/etc to 2.6.9? Anyone have experience with this?Is there a possible workaround using "Proxy-ARP"? A little over my head, but can someone confirm this? Thanks, A. -- Adam Sherman Technologist ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
On 7/12/05, Adam Sherman <carbon60@gmail.com> wrote:> Since I really need this to work, because I want to use the new > provider''s support, I''m wondering if there is a workaround? Can I > apply connmark/track/etc to 2.6.9? Anyone have experience with this?Is there a possible workaround using "Proxy-ARP"? A little over my head, but can someone confirm this? Thanks, Lets back up a second, the symptoms you discribe in your orginal post involve a 2.6.11 kernel, what version of ipsec-tools are you running? What I think the issue maybe is the 2.6.11 kernel requires that forward policies be defined in addition to input and output policies. I heard that 5.2 *should be* ok, unsure about the version from opens/wan. I don''t have a running ipsec tunnel box the moment, so I can''t say for sure what works for me. Anybody else out there care to shed some light on what combos worked for them? Jerry ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
On 7/13/05, Jerry Vonau <jvonau@shaw.ca> wrote:> > Since I really need this to work, because I want to use the new > > provider''s support, I''m wondering if there is a workaround? Can I > > apply connmark/track/etc to 2.6.9? Anyone have experience with this? > > Is there a possible workaround using "Proxy-ARP"? A little over my > head, but can someone confirm this?> Lets back up a second, the symptoms you discribe in your orginal post > involve a 2.6.11 kernel, what version of ipsec-tools are you running? > What I think the issue maybe is the 2.6.11 kernel requires that forward > policies be defined in addition to input and output policies. I heard that > 5.2 > *should be* ok, unsure about the version from opens/wan. I don''t have a > running ipsec tunnel box the moment, so I can''t say for sure what works for > me. Anybody else out there care to shed some light on what combos worked > for them?Crap, you''re right! I forgot about that issue. I''m running 0.3.3 of ipsec-tools, so that would make sense. I''m a little scared about upgrading though. Upgrading racoon & ipsec-tools is all that is needed? A. -- Adam Sherman Technologist ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar