That patch is for PPTP, which uses the gre protocol for data transport, but is not entirely gre. GRE has the options of using checksums, keys, and sequence numbers. The checksum is (I believe) a checksum over the encapsulated IP packet, which shouldn't need to be mucked with (unless you're trying to do nat on a packet inside a gre tunnel from a host that is not one of the gre endpoints. Which would be an exceedingly sneaky thing to do.) The key (which is simply an identifier, nothing else; never think that because it has a key, gre by itself has encryption - it does not) and the sequence number shouldn't need to be changed ever.
Forwarding should never be a problem. Nat could be, but in practice generally is not. -Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Andrew Burgess > Sent: Monday, April 29, 2002 10:25 AM > To: netfilter > Subject: Re: GRE tunneling & ipfilters > > > We are in the process of trying to forward GRE and we decided we needed > a kernel patch > to make it work. The GRE packets apparently have a checksum inside that > includes > the original destination ip address and if you forward without changing > this you > just get checksum errors at the destination. > > This is the information we found that includes a link to the patch: > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html > > That said, we haven't tried the patch yet so maybe there is a way to > make > it work without. > > HTH > Andrew > >
