There are a half dozen or so of us at work who have had absolutely no luck getting 2.2.16 to masquerade IPSEC packets. This includes folks who have started from your earlier 2.2.16-3 sources and manually applied (and cleaned-up) the VPN Masq patches, as well as folks who have taken your newer 2.2.16 kernels from rawhide or pinstripe. In all cases who have tried, reverting to 2.2.14 with the patch applied has corrected the problem. The probelm (as near I can tell from a tcpdump) is that the "masqueraded" packets are sent out to the vpn server with a source address of 0.0.0.0 instead of the correct external interface address. The vpn client is the Nortel Extranet Access Client (a complete piece of shit, but that's all management will authorize, and they seem to be using some "not quite standard" data exchanges). I do not know if anyone has tried this on a "stock" 2.2.16 kernel from kernel.org. All other masquerading on the affected systems seems to work fine and there are no "interesting" lines in /var/log/messages. I know of none who have gotten this to work.
This is a known issue, but the first patches we saw broke lvs. There are newer patches being evaluated, though.
Can you please provide pointers to said patches? I had looked in most of the places I expected this to have been discussed and found nothing prior to submitting. I'd like to test these patches over the holiday weekend if you think there's even a remote chance they'll work.
assuming the patch you mentioned is the one John Hardin just put up, then a co-worker reports: > I applied the new patch to the 2.2.16-12 from rawhide and it seemed to > work. I was able to connect to work just like under 2.2.14. ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn-RH2.16-2.patch.gz I'll ask that we use this bug to ensure this is included in future kernel builds. Thanks -=Chris