A known problem exists with netfilter NAT/masquerade/SNAT with 2.6 IPSEC. The supplied URL contains further details and a link to a patch which addresses it.
Seen on Gentoo with gentoo-dev-sources: 2.6.9-gentoo-r13
Steps to Reproduce:
Have you tried with 2.6.10?
No, I just took the latest stable one from portage. Is it likely to be fixed in there?
Can't say without someone trying it. Also, 2.6.10 is stable now.
There is an updated patch for 2.6.10 here: http://lists.netfilter.org/pipermail/netfilter-devel/attachments/20050104/db17e25f/ipsec-nat-2.6.10-0001.obj (Corresponding post: http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/017961.html)
Thus it does not appear to have been included in mainline yet.
The patch above applied cleanly against gentoo-dev-sources (2.6.10-gentoo-r4) which indicates that the patch also isnt part of the gentoo patch set.
My conclusion... the issue is unlikely to be solved by using 2.6.10-r4. I can try actually running it if someone really wants though.
Yes, please do. It may have been fixed in some other place.
Hard to say if its fixed in 2.6.10 or not - I couldnt make it work with or without the patch so I cant 100% rule out a configuration problem :(
Any progress on this? It would also be useful to try 2.6.11_rc2
Haven't had a chance to make progress (reverted to a 2.4 kernel instead). Will try the kernel suggested and let you know the result.
If this is still a problem with the latest 2.6 kernels then please reopen.
Appologies for the delay...
Apparently Patrick McHardy is sponsering the required patches for inclusion in mainline post 2.6.11 - so unless its made it into the gentoo-dev patch set, its unlikely to be fixed.