[Ipsec-tools-users] vpn: net to net - no backward traffic

[andy <at...@we...>]

Hi all!

I'm afraid I'm a little stupid. Even 5 days with Google does not help.

Configuration:
Office: Centos 5.6 / ipsec-tools-0.7.3-4.el5

  eth0      inet Adresse:xxx.xxx.xxx.104
  eth0:0   inet Adresse:172.22.1.1  Bcast:172.22.1.255  Maske:255.255.255.0
  virbr1    inet Adresse:172.22.3.1  Bcast:172.22.3.255  Maske:255.255.255.0
      
  spdadd 172.22.3.0/24 192.168.1.0/24 any -P out ipsec
esp/tunnel/xxx.xxx.xxx.234-yyy.yyy.yyy.104/require;
  spdadd 192.168.1.0/24 172.22.3.0/24 any -P in ipsec
esp/tunnel/yyy.yyy.yyy.104-xxx.xxx.xxx.80/require;
  spdadd 172.22.3.0/24 192.168.1.0/24 any -P fwd ipsec
esp/tunnel/yyy.yyy.yyy.104-xxx.xxx.xxx.80/require;

  iptables -A INPUT -s 192.168.0/24 -d 172.22.3.0/24 -j ACCEPT
  iptables -A INPUT -d 192.168.0/24 -S 172.22.3.0/24 -j ACCEPT
  iptables -A INPUT -j LOG --log-level 4

  iptables -A FORWARD -s 192.168.0/24 -d 172.22.3.0/24 -j ACCEPT
  iptables -A FORWARD -d 192.168.0/24 -S 172.22.3.0/24 -j ACCEPT
  iptables -A FORWARD -j LOG --log-level 4

  iptables -A OUTPUT -j LOG --log-level 4

Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use
Iface
172.22.4.11     *               255.255.255.255 UH    0      0        0 ppp0
xxx.xxx.xxx.1    *               255.255.255.255 UH    0      0        0
eth0
172.22.4.0      *               255.255.255.0   U     0      0        0 tap0
172.22.3.0      *               255.255.255.0   U     0      0        0
virbr1
192.168.2.0     172.22.1.1      255.255.255.0   UG    0      0        0 eth0
172.22.2.0      *               255.255.255.0   U     0      0        0
virbr0
172.22.1.0      *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         xxx.xxx.xxx.1    0.0.0.0         UG    0      0        0
eth0

The problem:
Home net 192.168.2.0/24 ---> AVM FritzBox --> Internet --> Office -->
172.22.3.0/24

Tunnel established --> OK
Packets from 192.168.2.20 to 172.22.3.22:ssh --> OK
Packets from 172.22.3.22 to 192.168.2.20 ---> FAIL

I can see all packets (send and reply) at virbr1. (tcpdump)
I can't see any reply packet at eth0:0. (tcpdump)
No packets are logged via iptables LOG target.

It seem that the packets are going into the kernel and never get out of it.

BTW: I tried the TRACE target, but unfortunately there is no kernel
module available.

Any help would be appreciated.

Regards
Andy