There are a half dozen or so of us at work who have had absolutely no luck getting 2.2.16 to masquerade IPSEC packets. This includes
folks who have started from your earlier 2.2.16-3 sources and manually applied (and cleaned-up) the VPN Masq patches, as well as folks
who have taken your newer 2.2.16 kernels from rawhide or pinstripe. In all cases who have tried, reverting to 2.2.14 with the patch applied
has corrected the problem. The probelm (as near I can tell from a tcpdump) is that the "masqueraded" packets are sent out to the vpn
server with a source address of 0.0.0.0 instead of the correct external interface address. The vpn client is the Nortel Extranet Access
Client (a complete piece of shit, but that's all management will authorize, and they seem to be using some "not quite standard" data
exchanges). I do not know if anyone has tried this on a "stock" 2.2.16 kernel from kernel.org. All other masquerading on the affected
systems seems to work fine and there are no "interesting" lines in /var/log/messages. I know of none who have gotten this to work.
This is a known issue, but the first patches we saw broke
lvs. There are newer patches being evaluated, though.
Can you please provide pointers to said patches? I had looked in most of the
places I expected this to have been discussed and found nothing prior to
submitting. I'd like to test these patches over the holiday weekend if you
think there's even a remote chance they'll work.
assuming the patch you mentioned is the one John Hardin just put up, then
a co-worker reports:
> I applied the new patch to the 2.2.16-12 from rawhide and it seemed to
> work. I was able to connect to work just like under 2.2.14.
I'll ask that we use this bug to ensure this is included in future kernel builds.