Re: SNAT with ipsec => return packets not de-natted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 5, 2009 at 8:44 AM, Jari Laurila <jari.laurila@xxxxxxxxx> wrote:
> On Wed, Nov 4, 2009 at 2:27 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote:
>> Jari Laurila wrote:
>>> On Tue, Nov 3, 2009 at 8:54 AM, Jari Laurila <jari.laurila@xxxxxxxxx> wrote:
>>>> Don't anyone have any clues for the problem I sent to the list on sunday?
>>>>
>>>> I find it really strange that decrypted packets coming from ipsec
>>>> tunnel with destination address xx.xx.xx.42 are sent through interface
>>>> ext1 even though ip -s route get xx.xx.xx.42 says that packet should
>>>> go through interface ext0b. Ipsec tunnel itself is going through
>>>> inteface ext1 but shouldn't packets get routed after they come from
>>>> tunnel? I even tried to look at kernel code to figure out why this
>>>> happens but I don't know enough about kernel and my c skills are a bit
>>>> lacking, so I couldn't find the cause.
>>>>
>>>
>>> Update Netfilter sees packet at mangle table in PREROUTING chain (I
>>> added LOG rule), but nat table does not see the packet.
>>>
>>> I also have fwd policy defined for the connection in question:
>>>
>>> src srcip.srcip.srcip.secip/32 dst dstip.dstip.dstip.42/32
>>>         dir fwd priority 0
>>>         tmpl src gwip.gwip.gwip.gwip dst remgw.remgw.remgw.remgw
>>>                 proto esp reqid 0 mode tunnel
>>
>> Try adding a TRACE rule to see how the packet traverses the netfilter
>> hooks.
>>
> I did that. Here are the results:
>
> kernel: TRACE: raw:PREROUTING:policy:2 IN=ext1 OUT= MAC=xxx
> SRC=remote_server DST=xxx.42 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=43368
> PROTO=TCP SPT=21 DPT=1261 SEQ=4137897325 ACK=3664330034 WINDOW=65535
> RES=0x00 ACK RST URGP=0
> kernel: TRACE: mangle:PREROUTING:rule:1 IN=ext1 OUT= MAC=xxx
> SRC=remote_server DST=xxx.42 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=43368
> PROTO=TCP SPT=21 DPT=1261 SEQ=4137897325 ACK=3664330034 WINDOW=65535
> RES=0x00 ACK RST URGP=0
> kernel: TRACE: mangle:PREROUTING:rule:12 IN=ext1 OUT= MAC=xxx
> SRC=remote_server DST=xxx.42 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=43368
> PROTO=TCP SPT=21 DPT=1261 SEQ=4137897325 ACK=3664330034 WINDOW=65535
> RES=0x00 ACK RST URGP=0
> kernel: TRACE: mangle:sanitychk_acl:return:38 IN=ext1 OUT= MAC=xxx
> SRC=remote_server DST=xxx.42 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=43368
> PROTO=TCP SPT=21 DPT=1261 SEQ=4137897325 ACK=3664330034 WINDOW=65535
> RES=0x00 ACK RST URGP=0
> kernel: TRACE: mangle:PREROUTING:policy:13 IN=ext1 OUT= MAC=xxx
> SRC=remote_server DST=xxx.42 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=43368
> PROTO=TCP SPT=21 DPT=1261 SEQ=4137897325 ACK=3664330034 WINDOW=65535
> RES=0x00 ACK RST URGP=0
>
>
> Mangle chains policy is accept:
> # iptables -t mangle -vnL PREROUTING
> Chain PREROUTING (policy ACCEPT 46M packets, 21G bytes)
> ...
> Other rules
> ...
>
Gah.. I feel really stupid right now :|

My ipsec-tools.conf had typo I didn't notice until I read the confs
hundredth time:

I had lines
spdadd xx.xx.xx.42/32 aa.aa.aa.aa/32 any -P out ipsec
esp/tunnel/yy.yy.yy.yy-bb.bb.bb.bb/require;
spdadd aa.aa.aa.aa/32 xx.xx.xx.42/32 any -P in ipsec
esp/tunnel/yy.yy.yy.yy-bb.bb.bb.bb/require;

and the correct lines were
spdadd xx.xx.xx.42/32 aa.aa.aa.aa/32 any -P out ipsec
esp/tunnel/yy.yy.yy.yy-bb.bb.bb.bb/require;
spdadd aa.aa.aa.aa/32 xx.xx.xx.42/32 any -P in ipsec
esp/tunnel/bb.bb.bb.bb-yy.yy.yy.yy/require;

Still I think kernel should have better logging in situations like
these. I found absolutely nothing from logs when i investigated why my
setup failed...

Thanks anyway.. I hope I didn't waste too much of your time :)
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux