Re: [Ipsec-tools-users] simple config problem
Brought to you by:
mit_warlord,
netbsd
From: VANHULLEBUS Y. <va...@fr...> - 2008-10-23 13:44:34
|
On Thu, Oct 23, 2008 at 03:02:13PM +0200, ips...@do... wrote: > > My network is: > > > A --- eth --- B (NAT) --- internet --- C > > > A - 192.168.0.2 > B - 192.168.0.1 and external IP > C - IP > > A and B are both desktop computers > C is a server > > PROBLEM: > when I use "B" only I can easily access "C" via the internet, > but when I turn on "A" all packets crash: all traffic between "B" and "C", > and "A" and "C" stops. > > > "B" has: > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > iptables -i eth0 -A INPUT -s "C" -d "B" -p udp --dport 500 -j ACCEPT > iptables -i eth0 -A INPUT -s "B" -d "C" -p udp --dport 500 -j ACCEPT > iptables -i eth0 -A INPUT -s "C" -d "B" -p 50 -j ACCEPT > iptables -i eth0 -A INPUT -s "B" -d "C" -p 50 -j ACCEPT > iptables -i eth0 -A INPUT -s "C" -d "B" -p 51 -j ACCEPT > iptables -i eth0 -A INPUT -s "B" -d "C" -p 51 -j ACCEPT > > > > I suppose it'd be iptables configuration is wrong but I have no clue. > > I struggle with it for ages! I'll appreciate any help. Thank you. So you only have ONE IPsec tunnel, between B and C, and traffic from A is tunneled when it reaches B ? If that's right, you may start by changing the size of packets sent from A through the tunnel. You can directly reduce MTU on A's NIC, or change tcpmss on the fly on B (netfilter can do that easilly). Try again with a quite low value (let's say 1000 bytes), and if that solves your problem, increases it again until you have a good idea of the limit in your setup. Yvan. |