[Ipsec-tools-devel] NAT-T tunnel trouble on Linux

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi, on one end of my tunnel I've got a Linux box running Debian Etch
(kernel 2.6.18-4-686, ipsec-tools 0.6.6-3.1etch1, which I think is stock
0.6.6 with the security patch from 0.6.7). On the other end of the
tunnel is a D-Link DI-804HV VPN router. In between is a NAT that I have
no control over.

I think I have the tunnel set up properly; the IKE negotiations complete,
SADs are set up, etc. However, the traffic only flows in one direction. If
I ping a host on the D-Link side of the tunnel from the Linux box,
tcpdump on the Linux box sees an encrypted Echo request go out and an
encrypted Echo reply come back in. However, the ping never sees those
replies:

[ In one window ]
linux-vpn# tcpdump -ni eth0 -s0 -E "0x0baedc6d@x.x.x.x des-cbc-hmac96:0x3818bc220e95e902,0x1e000010@y.y.y.y des-cbc-hmac96:0x75f12948e4a997e2" udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:57:12.668366 IP x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x1e000010,seq=0xb9), length 116: IP 10.2.1.2 > 10.3.1.162: ICMP echo request, id 42578, seq 272, length 64 (ipip-proto-4)
17:57:12.697684 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x0baedc6d,seq=0xb9), length 116: IP 10.3.1.162 > 10.2.1.2: ICMP echo reply, id 42578, seq 272, length 64 (ipip-proto-4)
17:57:13.668493 IP x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x1e000010,seq=0xba), length 116: IP 10.2.1.2 > 10.3.1.162: ICMP echo request, id 42578, seq 273, length 64 (ipip-proto-4)
17:57:13.696683 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x0baedc6d,seq=0xba), length 116: IP 10.3.1.162 > 10.2.1.2: ICMP echo reply, id 42578, seq 273, length 64 (ipip-proto-4)
17:57:14.668588 IP x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x1e000010,seq=0xbb), length 116: IP 10.2.1.2 > 10.3.1.162: ICMP echo request, id 42578, seq 274, length 64 (ipip-proto-4)
17:57:14.695937 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x0baedc6d,seq=0xbb), length 116: IP 10.3.1.162 > 10.2.1.2: ICMP echo reply, id 42578, seq 274, length 64 (ipip-proto-4)
etc...

[ In another window at the same time ]
linux-vpn# ping 10.3.1.162
PING 10.3.1.162 (10.3.1.162) 56(84) bytes of data.

--- 10.3.1.162 ping statistics ---
27 packets transmitted, 0 received, 100% packet loss, time 26010ms

x.x.x.x is the Linux box's public IP, y.y.y.y is the D-Link's public
IP, 10.2.1.2 is the Linux box's private IP, 10.3.1.162 is a host on the
D-Link's side of the network.

Any thoughts as to what the problem might be? Or what other info I should
supply to help track this problem down?

Also, the Linux box actually has about 20 public IPs and does various NAT and
firewall functions of its own. I don't think the problem is related to
iptables rules though, since the same machine has another IPsec tunnel
to a NetBSD machine that does *not* use NAT-T, and that tunnel works fine.

Thanks :)
-- 
Name: Dave Huang         |  Mammal, mammal / their names are called /
INet: kh...@az... |  they raise a paw / the bat, the cat /
FurryMUCK: Dahan         |  dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 31 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++