decrypted ipsec packets lost, last seen in INPUT chain

[Daniel Dorau <daniel.dorau@alumni.tu-berlin.de>]

Hello list,
I have a problem with decrypted ipsec packets lost. I'm not sure if this
is netfilter related, maybe someone has any idea.

I have a local interface with both 192.168.178.2 (unencrypted) and
192.168.202.5 assigned to it. Packets directed to the private network
are routed to local address 192.168.202.5 which is the local ipsec
tunnel endpoint.
Now if I ping a machine within the VPN, a ICMP echo request is sent
encrypted via 192.168.202.5 into the tunnel. An encrypted ICMP echo
reply is sent back, can be seen with ethereal and in netfilter's INPUT
chain. That echo reply is decrypted and can be seen again in ethereal
(now decrypted) as well as in the INPUT chain.

INPUT chain has policy ACCEPT and doesn't contain any rule except
logging every packet for debugging.

So, basically ipsec works as I get the echo reply decrypted to my INPUT
chain.
But then the packet is lost, ping itself never receives it (strace shows
-EAGAIN as result of recvmsg).
Same for TCP connections. I can see the SYN,ACK in the INPUT chain but
the application never gets it.

Does anybody has an idea where and/or why packets can get lost after
travelling through INPUT chain? (POLICY ACCEPT s.above)
IP adresses and packets itself as inspected within ethereal look
perfectly ok.

Any ideas? I'm completely lost. :-/

Thank you,
Daniel

-- 
Daniel Dorau