From: <kh...@az...> - 2007-08-30 00:31:16
|
Hi, on one end of my tunnel I've got a Linux box running Debian Etch (kernel 2.6.18-4-686, ipsec-tools 0.6.6-3.1etch1, which I think is stock 0.6.6 with the security patch from 0.6.7). On the other end of the tunnel is a D-Link DI-804HV VPN router. In between is a NAT that I have no control over. I think I have the tunnel set up properly; the IKE negotiations complete, SADs are set up, etc. However, the traffic only flows in one direction. If I ping a host on the D-Link side of the tunnel from the Linux box, tcpdump on the Linux box sees an encrypted Echo request go out and an encrypted Echo reply come back in. However, the ping never sees those replies: [ In one window ] linux-vpn# tcpdump -ni eth0 -s0 -E "0x0baedc6d@x.x.x.x des-cbc-hmac96:0x3818bc220e95e902,0x1e000010@y.y.y.y des-cbc-hmac96:0x75f12948e4a997e2" udp port 4500 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:57:12.668366 IP x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x1e000010,seq=0xb9), length 116: IP 10.2.1.2 > 10.3.1.162: ICMP echo request, id 42578, seq 272, length 64 (ipip-proto-4) 17:57:12.697684 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x0baedc6d,seq=0xb9), length 116: IP 10.3.1.162 > 10.2.1.2: ICMP echo reply, id 42578, seq 272, length 64 (ipip-proto-4) 17:57:13.668493 IP x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x1e000010,seq=0xba), length 116: IP 10.2.1.2 > 10.3.1.162: ICMP echo request, id 42578, seq 273, length 64 (ipip-proto-4) 17:57:13.696683 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x0baedc6d,seq=0xba), length 116: IP 10.3.1.162 > 10.2.1.2: ICMP echo reply, id 42578, seq 273, length 64 (ipip-proto-4) 17:57:14.668588 IP x.x.x.x.4500 > y.y.y.y.4500: UDP-encap: ESP(spi=0x1e000010,seq=0xbb), length 116: IP 10.2.1.2 > 10.3.1.162: ICMP echo request, id 42578, seq 274, length 64 (ipip-proto-4) 17:57:14.695937 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x0baedc6d,seq=0xbb), length 116: IP 10.3.1.162 > 10.2.1.2: ICMP echo reply, id 42578, seq 274, length 64 (ipip-proto-4) etc... [ In another window at the same time ] linux-vpn# ping 10.3.1.162 PING 10.3.1.162 (10.3.1.162) 56(84) bytes of data. --- 10.3.1.162 ping statistics --- 27 packets transmitted, 0 received, 100% packet loss, time 26010ms x.x.x.x is the Linux box's public IP, y.y.y.y is the D-Link's public IP, 10.2.1.2 is the Linux box's private IP, 10.3.1.162 is a host on the D-Link's side of the network. Any thoughts as to what the problem might be? Or what other info I should supply to help track this problem down? Also, the Linux box actually has about 20 public IPs and does various NAT and firewall functions of its own. I don't think the problem is related to iptables rules though, since the same machine has another IPsec tunnel to a NetBSD machine that does *not* use NAT-T, and that tunnel works fine. Thanks :) -- Name: Dave Huang | Mammal, mammal / their names are called / INet: kh...@az... | they raise a paw / the bat, the cat / FurryMUCK: Dahan | dolphin and dog / koala bear and hog -- TMBG Dahan: Hani G Y+C 31 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++ |