Re: [Ipsec-tools-users] simple config problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Thu, Oct 23, 2008 at 03:02:13PM +0200, ips...@do... wrote:
> 
> My network is:
> 
> 
> A --- eth --- B (NAT) --- internet --- C
> 
> 
> A - 192.168.0.2
> B - 192.168.0.1 and external IP
> C - IP
> 
> A and B are both desktop computers
> C is a server
> 
> PROBLEM:
> when I use "B" only I can easily access "C" via the internet, 
> but when I turn on "A" all packets crash: all traffic between "B" and "C", 
> and "A" and "C" stops.
> 
> 
> "B" has: 
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -i eth0 -A INPUT -s "C" -d "B" -p udp --dport 500 -j ACCEPT
> iptables -i eth0 -A INPUT -s "B" -d "C" -p udp --dport 500 -j ACCEPT
> iptables -i eth0 -A INPUT -s "C" -d "B" -p 50 -j ACCEPT
> iptables -i eth0 -A INPUT -s "B" -d "C" -p 50 -j ACCEPT
> iptables -i eth0 -A INPUT -s "C" -d "B" -p 51 -j ACCEPT
> iptables -i eth0 -A INPUT -s "B" -d "C" -p 51 -j ACCEPT
> 
> 
> 
> I suppose it'd be iptables configuration is wrong but I have no clue.
> 
> I struggle with it for ages! I'll appreciate any help. Thank you.

So you only have ONE IPsec tunnel, between B and C, and traffic from A
is tunneled when it reaches B ?

If that's right, you may start by changing the size of packets sent
from A through the tunnel.
You can directly reduce MTU on A's NIC, or change tcpmss on the fly on
B (netfilter can do that easilly).

Try again with a quite low value (let's say 1000 bytes), and if that
solves your problem, increases it again until you have a good idea of
the limit in your setup.

Yvan.