IPsec UDP 500 being changed? by iptables?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* IPsec UDP 500 being changed? by iptables?
@ 2006-07-24 21:30 Jesse Gordon
  0 siblings, 0 replies; only message in thread
From: Jesse Gordon @ 2006-07-24 21:30 UTC (permalink / raw)
  To: netfilter

Hello,

I've a VPN tunnel running between two firebox endponts through my linux 
iptables natting firewall,
and one end can always bring up the tunnel, but the other can't. I'm trying 
to understand why, and I noticed something strange on the output of tcpdump, 
which makes it look to my untrained eye that iptables is changing the flags 
on the vpn packet.

So my question is "Why does the packet appear differently in tcpdump when it 
leaves my iptables NAT box then when it enters said NAT box?" Should not 
only the source and destination IPs change?

Specifically, it comes in with the flags ".. I ident" and leaves with the 
flags ".. ? ident."

Note: my tcpdump is connected to the switch port analyzer port on our switch 
and captures any packet that enters or leaves either internal or external 
network cards on my NAT firewall. That's why the packets each show up twice.

In more detail:

13:42:03.966796 IP 10.0.0.110.500 > 64.14.174.134.500: isakmp: phase 1 I 
ident
13:42:03.966945 IP 64.14.180.239.500 > 64.14.174.134.500: isakmp: phase 1 ? 
ident
13:42:03.968916 IP 64.14.174.134.500 > 64.14.180.239.500: isakmp: phase 1 R 
inf
13:42:03.968936 IP 64.14.174.134.500 > 10.0.0.110.500: isakmp: phase 1 R inf

10.0.0.110=one vpn endpoint. 64.14.174.134=other vpn endpoint.

The above shows one endpoint sending out a UDP port 500 packet attempting to 
establish a tunnel with *.134. Then my iptables NAT firewall box relays the 
packet on out from it's own IP of *.239, sending the packet to the intended 
*.134. But notice that the flags say ? ident instead of 1 ident the second 
time the packet is seen, on the other (outgoing) side of the NAT box.

Then of course the other endpoint sends back a response, which gets port 
forwarded on in to the first endpoint.

But the tunnel will not come alive, so I'm wondering if my iptables is 
changing something in that packet, which is causing the attempt to fail.

If attempted from the other end, the tunnel comes right up.

I searched google but could not find out what that "?" vs. "I" meant.

Where could I read about the meaning of the output of tcpdump that tells 
about these protocols? (my man tcpdump doesn't.)

Thanks very much,

-Jesse Gordon

Nikola Engineering Inc.
224 W. Washington St.
Suite 104
Sequim, WA 98382-3371
Tel  (360)582-1051
Fax (360)582-1104

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2006-07-24 21:30 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-24 21:30 IPsec UDP 500 being changed? by iptables? Jesse Gordon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox