> On Wed, Aug 22, 2001 at 12:31:19PM -0400, Jay Berkenbilt wrote:
> > I know it works with a 2.2.x kernel and ipchains. I dropped
> > CIPE into an e-smith linux distribution (kind of a packaged
> > office-in-a-box based on RH 6.2) and had to figure out their
> > configuration scheme to undo the MASQ on everything. In
> > my case I wanted the tunneled nets to be able to see
> > each other's private numbers.
> > It even works with a 2.4 kernel and ipchains. It fails only with a
> > 2.4 kernel and iptables.
> umm no, I am using 2.4.8 on a box at home running cipe and masquerading
> data off cipe onto my internet connection.
This is a different situation from what we are talking about. You are
masquerading packets that arrive at your gateway and are decrypted
there to your Internet address. The masqueraded packets are going out
through eth0. The situation we are describing is that we want the
masqueraded packets to go through cipe.
host 1 <--- cipe ---> gateway < ----> internet
gateway masquerades host1 as gateway.
host 1 <--- local net ---> gw1 <--- cipe ---> gw2
we want host1 to masqueraded as gw1 to gw2.
Put still another way, your source addresses are on the other side of
your cipe interfaces. Our destination addresses are on the other side
of our cipe interfaces.
So your situation is actually not masquerading through cipe at all.
The packets have left the VPN before they get masqueraded. No
interaction between cipe and iptables is required.
Jay Berkenbilt <ejb,AT,ql,DOT,org>