Hi All,
I have a problem with ICMP (destination-unreachable /
fragmentation needed) packets not bieng NAT-ed correctly
with a specific SNAT configuration.
I have an IPsec tunnel (frees/wan), and I need to source-nat
everything that comes out of the tunnel (strange routing
problem).
I'm using the following configuration
iptables -t mangle -A PREROUTING --in-interface ipsec+ \
-j MARK --set-mark 1
iptables -t nat -A POSTROUTING -m mark --mark 1 \
-j MASQUERADE
However the IPsec tunnel had an MTU of 1400, slightly less
than the ehternet packet. When a user requests a large
web page (for example), the web server send big packets,
and an ICMP error is generated by the NAT-ing node. However
the ICMP packet contains the real destination address, not
the address of the NAT device... The web server ignores the
ICMP error, which is normal.
I'm using iptables v1.2.5. I've noticed that there is
a DNAT / ICMP correction in 1.2.7a. I'm going to download
and test this new version, but I suspect that the behaviour
will be the same.
Has anybody previously encountered this sort of problem?
How can I tell iptables to NAT inside ICMP packets that are
generated locally but that concern connections coming
from the tunnel? I suppose it would work if I just
masquraded everything going through any interface,
but that seems a bit drastic...
Thanks for any pointers,
Ciaran
--
+---------------------------------------------------------+
Ciaran Deignan 04 38 49 87 27
Netcelo SA - IPsec VPN Solutions http://www.netcelo.com/
18-20 rue Henri Barbusse - BP 2501, 38035 Grenoble Cedex 2
+---------------------------------------------------------+
