Sorry for the cross-post, but this problem is really nagging me. What I did not put into the post below is the fact that it only occurred after a reboot of my linux system due to a short power outage. Here is the routing table, if that makes any difference: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 xx.xx.xx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 xx.xx.xx.1 0.0.0.0 UG 0 0 0 eth0 the xx.xx.xx is the first part of my external ip address. thanks for any advice or insight! h. From: helgew@xxxxxxxxxxxx (Helge Weissig) Newsgroups: comp.security.firewalls Subject: protocol 50 unreachable NNTP-Posting-Host: 63.196.131.66 Message-ID: <a1a4b233.0411301146.3c342dce@xxxxxxxxxxxxxxxxxx> Hi, I have been searching for information about this problem high and low but came up dry. Basically, I am trying to connect to a VPN server via ipsec from behind a NAT firewall set up on a Linux (kernel 2.4.x) box with iptables. I have no problem establishing the connection via port 500 as this is initiated by the client. However, I cannot seem to get protocol 50 (ESP) to work, independent of whether the ipsec tunnel is established or not. I have tried every incantation of iptables rules I could find, to no avail. When I set up tcdump on both interfaces on my server as well as on the client behind it, a port I have opened for forwarding responds as expected. If I run 'nmap -sO' from somewhere outside however, it will report protocol 50 as open although the external interface reports a 'icmp: xx.xx.xx.xx protocol 50 unreachable' response and the two other interfaces never see the traffic. Here is my current iptables configuration $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo "Enabling PORTFW Redirection on the external LAN.." $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p esp -j ACCEPT $IPTABLES -A PREROUTING -t nat -d $VPN_SERVER -p esp -j DNAT \ --to-destination $VPN_CLIENT echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE here is the tcpdump info I see on $EXTIF: 10:23:09.234937 (vpn server ip) > (my ip): ESP(spi=0x00000000,seq=0x0) 10:23:09.235055 (my ip) > (vpn server ip): icmp: (my ip) protocol 50 unreachable [tos 0xc0] (these are empty packets sent by nmap but it looks the same for legit ones coming from the vpn server ip). FWIW, when the ipsec tunnel is established and I try to ping the a host behind the vpn server, I see the outgoing packets on all three interfaces, but not response. thanks for any information or pointers in advance! h.
