Bug 17122 - 2.2.16 + VPN Masq = src addr
Summary: 2.2.16 + VPN Masq = src addr
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Michael K. Johnson
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2000-08-31 02:26 UTC by Chris Abbey
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-09-09 17:01:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Chris Abbey 2000-08-31 02:26:15 UTC
There are a half dozen or so of us at work who have had absolutely no luck getting 2.2.16 to masquerade IPSEC packets. This includes
folks who have started from your earlier 2.2.16-3 sources and manually applied (and cleaned-up) the VPN Masq patches, as well as folks
who have taken your newer 2.2.16 kernels from rawhide or pinstripe. In all cases who have tried, reverting to 2.2.14 with the patch applied
has corrected the problem. The probelm (as near I can tell from a tcpdump) is that the "masqueraded" packets are sent out to the vpn
server with a source address of instead of the correct external interface address. The vpn client is the Nortel Extranet Access
Client (a complete piece of shit, but that's all management will authorize, and they seem to be using some "not quite standard" data
exchanges). I do not know if anyone has tried this on a "stock" 2.2.16 kernel from kernel.org. All other masquerading on the affected
systems seems to work fine and there are no "interesting" lines in /var/log/messages. I know of none who have gotten this to work.

Comment 1 Michael K. Johnson 2000-08-31 13:35:14 UTC
This is a known issue, but the first patches we saw broke
lvs.  There are newer patches being evaluated, though.

Comment 2 Chris Abbey 2000-09-01 07:05:02 UTC
Can you please provide pointers to said patches? I had looked in most of the
places I expected this to have been discussed and found nothing prior to
submitting. I'd like to test these patches over the holiday weekend if you
think there's even a remote chance they'll work.

Comment 3 Chris Abbey 2000-09-09 17:01:27 UTC
assuming the patch you mentioned is the one John Hardin just put up, then
a co-worker reports:

> I applied the new patch to the 2.2.16-12 from rawhide and it seemed to
> work.  I was able to connect to work just like under 2.2.14.


I'll ask that we use this bug to ensure this is included in future kernel builds.
Thanks -=Chris

Note You need to log in before you can comment on or make changes to this bug.