On 7/14/10 8:31 PM, Brian J. Murrell wrote: > On Wed, 2010-07-14 at 20:06 -0700, Tom Eastep wrote: >>> >>> #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC >>> MARK >>> eth0 192.168.122.0/24 129.150.48.250 >> >> I specifically said MASQUERADE, not SNAT. > > Yes, I know. But MASQUERADE results in the source address being > re-written to eth0's interface address (10.75.22.151). This will result > in traffic not being routed into the tunnel and instead resulting in the > ipsec gateway machine sending back EHOSTUNREACH ICMP errors such as: > > 23:22:36.144100 IP 10.75.22.151 > 192.168.122.32: ICMP host 148.8.2.1 > unreachable, length 72 >
Okay -- I'm tired of seeing the onion pealed one layer at a time (complete with bungled obfuscation). Let's see the output of 'shorewall dump'. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
