From: Patrick McHardy <kaber@trash.net>
To: Christophe Saout <christophe@saout.de>
Cc: netfilter-devel@lists.netfilter.org,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: 2.6.16-rc1-mm3 XFRM+NAT issue
Date: Sun, 29 Jan 2006 20:57:50 +0100 [thread overview]
Message-ID: <43DD1E3E.70503@trash.net> (raw)
In-Reply-To: <1138563710.26998.22.camel@leto.intern.saout.de>
Christophe Saout wrote:
> Hi,
>
> I'm very glad that you found some time to get these patches into the
> mainline kernel. Unfortunately I think I'm running into a case where
> it's not working (it's working with 2.6.12 + the old unofficial IPSEC
> +NAT patches).
>
> .--- gateway host ---. .-- pub. host -.
> priv net -|NAT + IPSEC endpoint|- internet -|IPSEC endpoint|
> '--------------------' '--------------'
>
> ping ----->---*NAT*---*XFRM*********>*********XFRM*--------.
> v
> ???.....*********<*********XFRM*- pong -'
>
> Without IPSEC turned on I can reach the host on the far right from any
> host in the private network on the left without problem. The private
> address is source-NATted (masqueraeded) at the gateway.
>
> When turning on the IPSEC connection between the gateway and the
> internet host, the host in the private network can't reach the internet
> host (on the right) anymore. It's still reachable from the gateway
> itself though.
>
> When pinging from the host behind the gateway the packet passes through
> the gateway, gets to the internet host, which responds to the ping and
> sends an encrypted packet back through the IPSEC connection which then
> arrives at the gatway. But then the gateway simply ignores the packet
> instead of decapsulating and DNATting it back to the host in the private
> network. At least that's what I can gather from tcpdump. If I run
> tcpdump on ppp0 on the gateway I can see encrypted packets go out to the
> host on the right and encrypted packets coming back and that's it.
>
> I couldn't exactly keep track with all the changes since 2.6.12 and I
> was hoping that this kernel would just work and fulfill my needs... and
> I still don't really "get" the networking stack I have no clue where to
> start looking what could go wrong.
>
> So, do you perhaps have any ideas?
It should work just fine. Please add logging rules for both encrypted
and decrypted packets to all chains in the mangle table and enable
logging of invalid packets in connection tracking
(echo 255 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid)
and post the results.
next prev parent reply other threads:[~2006-01-29 19:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-29 19:41 2.6.16-rc1-mm3 XFRM+NAT issue Christophe Saout
2006-01-29 19:57 ` Patrick McHardy [this message]
2006-01-29 20:59 ` Christophe Saout
2006-01-29 22:14 ` Patrick McHardy
2006-01-29 22:30 ` Christophe Saout
2006-01-29 22:43 ` Patrick McHardy
2006-01-29 23:11 ` Christophe Saout
2006-01-29 22:59 ` Patrick McHardy
2006-01-29 23:24 ` Christophe Saout
2006-01-29 23:26 ` Patrick McHardy
2006-01-29 23:29 ` Patrick McHardy
2006-01-29 23:30 ` Christophe Saout
2006-02-03 1:16 ` David S. Miller
2006-02-03 10:24 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43DD1E3E.70503@trash.net \
--to=kaber@trash.net \
--cc=christophe@saout.de \
--cc=herbert@gondor.apana.org.au \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.