Felix, > we have a ftp connection which passes through two routers which have a > IPSEC tunnel in between. Both routers have nat and conntrack modules > compiled into the kernel but there are no rules at all.
You mean there are also no filter rules? Good. That excludes much. > [a simple ftp connection which goes through the IPSEC tunnel.] > > Now, the connection is established succesfully but "ls" ftp command > fails. We are using newnat on a 2.4.18 kernel. With old nat on 2.4.18 > kernel this problem did not occured, but I am not sure if it is a newnat > bug or an IPSEC bug. Great! Can you alternately try with oldnat and newnat? If you use tcpdump or ethereal during such tests, you may be able to discern whether the incoming or outgoing path is dropping first. Use oldnat as a baseline "what should happen" packet dump, and compare a newnat trace to that to see where it starts differing. You can do this on both routers and/or external vs. internal router interface to provide further info. Could you possibly try newnat without ipsec, e.g. with a crossover cable between the routers? > We were just willing to see if someone else encountered this problem and > knows more about it. I haven't, personally; just trying to ask hopefully pertinent questions. Hope they are a bit helpful. good luck Patrick
