Hello, I set up an ipsec tunnel between 2 private networks, using two machines running Linux 2.6 + racoon for IKE. The tunnel works quite correctly, however, I have sometimes (well this happens usually actually) the packets from private IP of one gateway not going through the tunnel. Traffic from lan host on both side work very well. It's just that traffic from one gateway to the other that sometimes gets lost. Both machines also act as router/firewall (using netfilter) to provide internet access to each private lans. Config is : Host A: eth0 = 1.1.1.1 (lan) eth1 = 80.1.1.1 (inet) Host B: eth0 = 2.1.1.1 (lan) eth1 = 192.168.1.10 (semi private behind a NAT box) 80.1.1.2 I could then track the packets using the LOG target and here is what happens : if I do the following on host A ping -I eth0 2.1.1.1 -c 1 I can see the packet get out of host A : May 28 16:16:46 firewall kernel: OPT1: IN= OUT=eth1 SRC=1.1.1.1 DST=2.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=31821 SEQ=1 May 28 16:16:46 firewall kernel: POSTN: IN= OUT=eth1 SRC=1.1.1.1 DST=2.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=31821 SEQ=1 May 28 16:16:46 firewall kernel: OPT1: IN= OUT=eth1 SRC=80.1.1.1 DST=80.1.1.2 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=45571 DF PROTO=ESP SPI=0xd934b73 then get in on host B : May 28 16:16:46 blg-srv-01 kernel: IPT1: IN=eth3 OUT= MAC=00:1a:64:d2:ae:62:00:1d:68:48:77:62:08:00 SRC=80.1.1.1 DST=192.168.1.10 LEN=152 TOS=0x00 PREC=0x00 TTL=54 ID=45571 DF PROTO=ESP SPI=0xd934b73 May 28 16:16:46 blg-srv-01 kernel: PRER: IN=eth3 OUT= MAC=00:1a:64:d2:ae:62:00:1d:68:48:77:62:08:00 SRC=1.1.1.1 DST=2.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=31821 SEQ=1 May 28 16:16:46 blg-srv-01 kernel: PREN: IN=eth3 OUT= MAC=00:1a:64:d2:ae:62:00:1d:68:48:77:62:08:00 SRC=1.1.1.1 DST=2.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=31821 SEQ=1 May 28 16:16:46 blg-srv-01 kernel: IPT1: IN=eth3 OUT= MAC=00:1a:64:d2:ae:62:00:1d:68:48:77:62:08:00 SRC=1.1.1.1 DST=2.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=31821 SEQ=1 then the reply gets out of host B : May 28 16:16:46 blg-srv-01 kernel: OPT1: IN= OUT=eth3 SRC=192.168.1.10 DST=1.1.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=57410 PROTO=ICMP TYPE=0 CODE=0 ID=31821 SEQ=1 but now the source address changed May 28 16:16:46 blg-srv-01 kernel: OPT1: IN= OUT=eth3 SRC=192.168.1.10 DST=80.1.1.1 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=13335 PROTO=ESP SPI=0x589e47e then the reply get's back in host A : May 28 16:16:46 firewall kernel: IPT1: IN=eth1 OUT= MAC=00:30:05:02:83:2d:00:07:cb:06:70:9c:08:00 SRC=80.1.1.2 DST=80.1.1.1 LEN=152 TOS=0x00 PREC=0x00 TTL=53 ID=13335 PROTO=ESP SPI=0x589e47e but as the source address is changed in the reply packet, it is not matched. This happens with ICMP, but I suspect it also happens with other protocol (UDP and TCP) because I have some services (bind and samba for instance) that reports failed or lost connexion. The weird thing in this, is that sometimes (often) it works correctly, but sometimes not. Anybody can help ? -- François Legal Message scanned by ClamAV engine (http://www.clamav.net) -------------------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
