what do you know?? As mysteriously as the problem appeared, it seems to
have resolved itself. I am stumped!
Thanks to all of you for your input and patience.
h.
On Dec 1, 2004, at 2:51 PM, Helge Weissig wrote:
Sorry for the cross-post, but this problem is really nagging me. What I
did not put into the post below is the fact that it only occurred
after a
reboot of my linux system due to a short power outage. Here is the
routing
table, if that makes any difference:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
xx.xx.xx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 xx.xx.xx.1 0.0.0.0 UG 0 0 0 eth0
the xx.xx.xx is the first part of my external ip address.
thanks for any advice or insight!
h.
From: helgew@xxxxxxxxxxxx (Helge Weissig)
Newsgroups: comp.security.firewalls
Subject: protocol 50 unreachable
NNTP-Posting-Host: 63.196.131.66
Message-ID: <a1a4b233.0411301146.3c342dce@xxxxxxxxxxxxxxxxxx>
Hi,
I have been searching for information about this problem high and low
but came up dry. Basically, I am trying to connect to a VPN server via
ipsec from behind a NAT firewall set up on a Linux (kernel 2.4.x) box
with iptables. I have no problem establishing the connection via port
500 as this is initiated by the client. However, I cannot seem to get
protocol 50 (ESP) to work, independent of whether the ipsec tunnel is
established or not. I have tried every incantation of iptables rules I
could find, to no avail. When I set up tcdump on both interfaces on my
server as well as on the client behind it, a port I have opened for
forwarding responds as expected. If I run 'nmap -sO' from somewhere
outside however, it will report protocol 50 as open although the
external interface reports a 'icmp: xx.xx.xx.xx protocol 50
unreachable' response and the two other interfaces never see the
traffic.
Here is my current iptables configuration
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "Enabling PORTFW Redirection on the external LAN.."
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p esp -j ACCEPT
$IPTABLES -A PREROUTING -t nat -d $VPN_SERVER -p esp -j DNAT \
--to-destination $VPN_CLIENT
echo " FWD: Allow all connections OUT and only existing and related
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
here is the tcpdump info I see on $EXTIF:
10:23:09.234937 (vpn server ip) > (my ip): ESP(spi=0x00000000,seq=0x0)
10:23:09.235055 (my ip) > (vpn server ip): icmp: (my ip) protocol 50
unreachable [tos 0xc0]
(these are empty packets sent by nmap but it looks the same for legit
ones coming from the vpn server ip). FWIW, when the ipsec tunnel is
established and I try to ping the a host behind the vpn server, I see
the outgoing packets on all three interfaces, but not response.
thanks for any information or pointers in advance!
h.
