Helge Weissig wrote:
I mean with "incomplete" that the tcpdump traffic I see does not show up
in the logs. I used your rules at the end of your reply and see the same
thing: ESP from VPN_SERVER hits $EXTIF, triggers the "protocol 50
unreachable" icmp response and no log entry ever shows up in the kernel
log from the iptables log rule. I am suspecting that your option 3) is
indeed the problem.
h.
It is possible that a conntrack already exists, or the packet can't be
conntracked, so the packet doesn't pass through nat PREROUTING.
Try putting the log rule in the mangle PREROUTING chain.
If they do match a log rule here, check if they are invalid
with -m conntrack --ctstate INVALID.
Also check if there are any esp conntracks in /proc/net/ip_conntrack
--
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
