Hi all,
I'm hoping somebody here may be able to point me in the right direction,
as I've been banging my head against a brick wall for a few days now. I
have OpenConnect running on my Ubuntu 11.10 system, and it works fine
(connect parameters posted below). The problem comes when I want to use
my PC as a gateway for other systems on my local network - effectively
performing NAT between the eth0 and tun0 interfaces. After connecting, I
run the following :
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sysctl -w net.ipv4.ip_forward=1
I then log into another system and route traffic to the remote VPN
through my Ubuntu openconnect system. This appears to work fine for
ICMP, SSH, MySQL and so on - but for some reason, I cannot seem to NAT
HTTP traffic. On the Ubuntu gateway itself, HTTP access works as
expected - no problems. From the "client" system, a simple cURL request
just hangs. A tcpdump of the traffic shows that it does seem to be
reaching the remote server on the VPN (and I see a "hit" in the Apache
logs), but nothing much happens after that.
If anyone has any ideas how I should start to troubleshoot this, I'd
very much appreciate it!
Here's the simple tcpdump output from the client behind the openconnect
"gateway" :
09:31:05.385701 IP (tos 0x0, ttl 64, id 26318, offset 0, flags [DF],
proto TCP (6), length 60)
192.168.16.210.40521 > 10.132.112.16.http: Flags [S], cksum 0xce27
(correct), seq 213837445, win 5840, options [mss 1460,sackOK,TS val
80838731 ecr 0,nop,wscale 7], length 0
09:31:05.804517 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto
TCP (6), length 60)
10.132.112.16.http > 192.168.16.210.40521: Flags [S.], cksum 0x7672
(correct), seq 1719559033, ack 213837446, win 5792, options [mss
1380,sackOK,TS val 940529181 ecr 80838731,nop,wscale 7], length 0
09:31:05.804542 IP (tos 0x0, ttl 64, id 26319, offset 0, flags [DF],
proto TCP (6), length 52)
192.168.16.210.40521 > 10.132.112.16.http: Flags [.], cksum 0xb9be
(correct), seq 1, ack 1, win 46, options [nop,nop,TS val 80839149 ecr
940529181], length 0
09:31:05.804639 IP (tos 0x0, ttl 64, id 26320, offset 0, flags [DF],
proto TCP (6), length 221)
192.168.16.210.40521 > 10.132.112.16.http: Flags [P.], cksum 0x4cde
(incorrect -> 0x86a4), seq 1:170, ack 1, win 46, options [nop,nop,TS val
80839150 ecr 940529181], length 169
09:31:06.582903 IP (tos 0x0, ttl 50, id 35919, offset 0, flags [DF],
proto TCP (6), length 52)
10.132.112.16.http > 192.168.16.210.40521: Flags [.], cksum 0xb609
(correct), seq 1, ack 170, win 54, options [nop,nop,TS val 940529952 ecr
80839150], length 0
09:31:06.584539 IP (tos 0x0, ttl 50, id 35923, offset 0, flags [DF],
proto TCP (6), length 1188)
10.132.112.16.http > 192.168.16.210.40521: Flags [FP.], cksum
0x04c7 (correct), seq 4105:5241, ack 170, win 54, options [nop,nop,TS
val 940529953 ecr 80839150], length 1136
09:31:06.584550 IP (tos 0x0, ttl 64, id 26321, offset 0, flags [DF],
proto TCP (6), length 64)
192.168.16.210.40521 > 10.132.112.16.http: Flags [.], cksum 0xc47c
(correct), seq 170, ack 1, win 46, options [nop,nop,TS val 80839929 ecr
940529952,nop,nop,sack 1 {4105:5242}], length 0
09:31:21.589638 IP (tos 0x0, ttl 64, id 4969, offset 0, flags [DF],
proto TCP (6), length 64)
192.168.16.210.58192 > 10.132.112.16.http: Flags [F.], cksum 0x06d7
(correct), seq 2265467025, ack 1690888712, win 46, options [nop,nop,TS
val 80854935 ecr 940387564,nop,nop,sack 1 {4105:5242}], length 0
And here are the parameters I am passing to openconnect :
--no-dtls
--disable-ipv6
--no-cert-check
--passwd-on-stdin
Many thanks in advance,
-Mark
