Debugging IPsec over double NAT, I'm observing a strange situation.
1. ISAKMP and IPsec SA's get established (between two hosts, Transport
mode, protocol ANY).
2. ICMP and UDP traffic flows OK, both directions.
3. TCP connection cannot proceed beyond the first SYN.
Must say that when there's no NAT involved - all the traffic flows OK,
TCP and UDP.
Details. Hosts are Linux FC3 with 2.6.12 kernel, and Windows XP SP2
(configured to allow double NAT). Racoon 0.6, 0.6rc1, HEAD (doesn't
matter - same behavior).
When Windows machine tries to TCP-connect (SSH or HTTP) to my Linux box
- Linux IPsec receives UDP-encapsulated ESP packet on port 4500 and
decapsulates it. However this decapsulated packet (TCP SYN) gets
corrupted (?) and doesn't go anywhere - I only observe TCP Bad Segments
counter increasing as TCP packets are attempting to come in:
Tcp:
18839 active connections openings
15040 passive connection openings
0 failed connection attempts
10851 connection resets received
0 connections established
1308364 segments received
1306988 segments send out
24141 segments retransmited
142 bad segments received. <------------------ increases with
each attempt
7421 resets sent
When Linux tries to establish a TCP connection with Windows box - TCP
SYN goes out OK, Windows box sends a response, and now Linux chews this
response (so the socket on Linux stays in SYN_SENT state). I thought it
could be my firewall (iptables) setting, and tried many things including
setting everything to ACCEPT. No difference.
I'm out of clues whatsoever. UDP traffic is OK... How to debug it? I'll
be grateful for any help!
|
Similar Threads
Linear Mode
