Re: protocol 50 unreachable

[Jason Opperisano <opie@817west.com>]

On Thu, Dec 02, 2004 at 10:22:27AM -0800, Helge Weissig wrote:
> The iptable logs are not complete

if you're not providing all the details, i'm not sure how we're supposed
to be able to help.  the information i was going on was:

Chain PREROUTING (policy ACCEPT 1380 packets, 95540 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `all preroute: ' 

and the log entries:

Dec  1 21:38:37 gollum kernel: all preroute: IN=eth1 OUT=
MAC=00:c0:4f:22:05:03:00:30:65:1f:ed:0a:08:00 SRC=10.0.0.200 DST=(VPN
SERVER IP) LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=8977 PROTO=ESP
SPI=0x2e9dc0d2 

your log rule in PREROUTING of the nat table should catch every single
packet, before any filtering (or even routing) takes place (unless you
have filter rules in mangle).  the fact that every log entry you provided
(like the above) shows ESP from client->server means:

1)  there are zero ESP packets coming from server->client
2)  you removed those log entries from your post
3)  packets from server->client disappear somewhere between the pcap
layer and the netfilter PREROUTING hook

are you saying it's #2?

> and as I mentioned, I may need help with 
> setting that up. I can see the packets coming from the server with tcpdump 
> as I showed in my original post but then an immediate reply is sent back 
> and nothing goes through to the internal interface.

if you can see ESP packets hitting your external interface from the VPN
server with tcpdump, but a log rule in PREROUTING of the nat table
doesn't see them--you have something horribly, horribly wrong with your
firewall machine.

> The same thing happens 
> when I use nmap to scan ip protocols. Conversely, my internal ESP traffic 
> ends at the internal interface of my firewall. It never reaches the 
> external interface or the outside. TCP traffic works fine as you can see 
> from the ping logs from the internal client. Could this indicate that 
> there is a problem before anything gets to iptables?

yes.

if you use these rules:

  iptables -t nat -A PREROUTING -p 50 -j LOG \
    --log-prefix "PREROUTE ESP: "

  iptables -A FORWARD -p 50 -j LOG --log-prefix "FWD ESP: "

  iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

you should get logs in both directions (client->server and
server->client).  if not...well, let's assume for now that you will...

it would also greatly help if you made sure to post all the logs
generated by the above, so as not to mislead us.

-j

--
"Ah, beer, my one weakness. My Achilles heel, if you will."
        --The Simpsons