From: "Stephen J. McCracken" <sjmccracky@myrealbox.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: 26sec problems
Date: Wed, 06 Apr 2005 08:42:42 -0500 [thread overview]
Message-ID: <4253E752.6050607@myrealbox.com> (raw)
In-Reply-To: <20050406120540.GC12451@nlb0>
> Quoting Petr Titera <P.Titera@century.cz>:
[snip]
> BUT on FWA:eth1 I see packets from other direction as going from another
> port than I have connected:
>
> This is communication as I see it on FWA:eth1 port. Note change from
> http port to tcpmux port.
[snip]
> 09:23:52.171022 IP 192.168.1.200.tcpmux > 192.168.17.200.60424: F 0:0(0)
> ack 1 win 65535 <nop,nop,timestamp 10752656 3092379283>
>
> Any idea what is wrong?
I just worked through this same problem and posted the solution on the
OpenSWAN mailing list. It is a nat problem. Here is my post from the
OpenSWAN list:
> This is just to get this in the archives as it is solved. (It's a NAT
> problem.)
>
> I was having trouble with ports being rewritten to port 1. Example:
>
> BoxA --- GwA ====== GwB --- BoxB
>
> GwA running OpenSWAN (openswan-2.1.5-2 Fedora RPM) and GwB a Multitech
> RoutFinder 550 (MT550VPN).
>
> I would try to ssh from BoxA to BoxB and get this:
>
> 15:22:35.859664 IP BoxA.38537 > BoxB.22: S 51958428:51958428(0) win 5840
> <mss 1460,sackOK,timestamp 257583923 0,nop,wscale 2>
> 15:22:35.863491 IP BoxB.22 > BoxA.38537: S 3558425983:3558425983(0) ack
> 51958429 win 5792 <mss 1336,sackOK,timestamp 12106235
> 257583923,nop,wscale 2>
> 15:22:35.863555 IP BoxA.38537 > BoxB.22: . ack 1 win 1460
> <nop,nop,timestamp 257583927 12106235>
> 15:22:35.890997 IP BoxB.1 > BoxA.38537: P 3558425984:3558426007(23) ack
> 51958429 win 1448 <nop,nop,timestamp 12106262 257583927>
> 15:22:36.093361 IP BoxB.1 > BoxA.38537: P 0:23(23) ack 1 win 1448
> <nop,nop,timestamp 12106465 257583927>
> 15:22:36.499231 IP BoxB.1 > BoxA.38537: P 0:23(23) ack 1 win 1448
> <nop,nop,timestamp 12106871 257583927>
>
> I noticed others were having similar problems:
>
> http://lists.virus.org/users-openswan-0502/msg00239.html
>
> And found the answer through this post:
>
> http://lists.virus.org/users-openswan-0407/msg00002.html
>
> That references this post:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215980
>
> I had to add in the following to solve the port 1 problem:
> iptables -A POSTROUTING 1 -p esp -j ACCEPT -t nat
prev parent reply other threads:[~2005-04-06 13:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-06 8:18 26sec problems Petr Titera
2005-04-06 12:05 ` Kelly Scroggins
2005-04-06 13:42 ` Stephen J. McCracken [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4253E752.6050607@myrealbox.com \
--to=sjmccracky@myrealbox.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox