Hello, Basic info: Distro = centos-release-4-4.2 Kernel = 2.6.9-42.0.3.EL OpenSwan = Linux Openswan 2.CVSHEAD (klips) The firewall has two interfaces, one LAN side (192.168.70.1) and one WAN side (y.y.y.y) The firewall runs OpenSwan to build a tunnel with Cisco VPN Concentrator 3500 on the other end. Private IP of the machine we reach on the other end is 172.16.7.13 The firewall rules are managed with Vuurmuur (http://vuurmuur.sourceforge.net/) The whole setup runs perfectly fine for roughly a week, but then the clients can no longer connect to 172.16.7.13. Only a reboot gets everything going again. I excluded the remote end and IPSEC tunnel since I see their ping reply coming back on the ipsec0 interface. But it never makes it out on the eth0 interface. Using iptables I added some logging rules to see what is going on in the firewall part (vrmr are default Vuurmuur log rules, BAS-IN|OUT are my additional rules first in the ruleset): ---- BAS-FWD IN=eth0 OUT=ipsec0 SRC=192.168.70.29 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 vrmr: ACCEPT IN=eth0 OUT=ipsec0 SRC=192.168.70.29 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 vrmr: MASQ IN= OUT=ipsec0 SRC=192.168.70.29 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 BAS-OUT IN= OUT=lo SRC=192.168.70.1 DST=192.168.70.1 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=21829 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.70.1 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 ] MTU=0 BAS-IN IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.70.1 DST=192.168.70.29 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=21829 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.70.29 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 ] MTU=0 BAS-FWD IN=ipsec0 OUT=eth0 SRC=172.16.7.13 DST=192.168.70.29 LEN=44 TOS=0x00 PREC=0x00 TTL=125 ID=11649 DF PROTO=TCP SPT=23 DPT=3990 WINDOW=8192 RES=0x00 ACK SYN URGP=0 BAS-FWD IN=eth0 OUT=ipsec0 SRC=192.168.70.29 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=38026 DF PROTO=TCP SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 BAS-OUT IN= OUT=lo SRC=192.168.70.1 DST=192.168.70.1 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=21830 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.70.1 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=38026 DF PROTO=TCP SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 ] MTU=0 BAS-IN IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.70.1 DST=192.168.70.29 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=21830 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.70.29 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=38026 DF PROTO=TCP SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 ] MTU=0 BAS-FWD IN=ipsec0 OUT=eth0 SRC=172.16.7.13 DST=192.168.70.29 LEN=44 TOS=0x00 PREC=0x00 TTL=125 ID=11662 DF PROTO=TCP SPT=23 DPT=3990 WINDOW=8192 RES=0x00 ACK SYN URGP=0 ---- First three lines are my test telnet session going out. Masq rule is a bit strange, but since it works for a week, this can't be a problem Fourth line is the reason I mail to this list, this is apparently a local packet (iface = lo) with an ICM Message Type 3, Code 4 (3=Destination Unreachable, 4 = Fragmentation Needed and Don't Fragment was Set). Within the square brackets is the original packet this relates to). The original packets all have the DF flag set. What reasons could there be for this suddenly being a problem? The next few packets might actually be a problem with the firewall rules, since the firewall tries to forward me the SYN/ACK from 172.16.7.13, but it never reaches the proper forwarding rule (it would have shown a vrmr log entry) Any insights are very welcome Bas Rijniersce ---- Bas Rijniersce IT Specialist @ Seaspan Ship Management E: brijniersce@xxxxxxxxxxxxx P: +1 604 638 2620 M: +1 604 616 4969 - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
