I have an internet gateway with redhat 7.0 and 2.4.3 kernel. A couple
of the networks behind the gateway/firewall have freeswan 1.8 and 1.9.
There is multiple addresses aliased to eth1 for each network.
For one of these networks I can't get protocol 50 NAT'd. The key exchange
works fine on udp port 500 but ESP is having problems. I have another
network with the same configuration working ok. For some reason this one
is giving
me grief.
My iptables rules are:
iptables -t nat -A PREROUTING -i eth1 -d 203.23.191.99 -j DNAT --to
192.168.90.194
iptables -t nat -A POSTROUTING -s 192.168.90.194 -j SNAT --to-source
203.23.191.99
(I have tried rules specifying protocols and ports. this one seems as
though it shoule be generic enough to work.)
Here are some tcpdumps:
20:24:23.038533 eth2 < 192.168.90.194.500 > 203.22.142.26.500: isakmp v4.0
from:8bbea1bd to: 5048f302 msgid:86e8b3d4 length 135274497 new
version (DF)
20:24:23.038598 eth1 > 203.23.191.99.500 > 203.22.142.26.500: isakmp v4.0
from:8bbea1bd to: 5048f302 msgid:86e8b3d4 length 135274497 new
version (DF)
from:8bbea1bd to: 5048f302 msgid:86e8b3d4 length 135274497 new
version
20:24:28.091812 eth2 > 203.22.142.26.500 > 192.168.90.194.500: isakmp v4.0
from:8bbea1bd to: 5048f302 msgid:86e8b3d4 length 135274497 new
version
20:29:34.900867 eth2 < 192.168.90.194 > 203.22.142.26: ip-proto-50 76
20:29:34.900920 eth1 > 192.168.90.194 > 203.22.142.26: ip-proto-50 76
20:29:35.447398 eth2 < 192.168.90.194 > 203.22.142.26: ip-proto-50 76
20:29:35.447445 eth1 > 192.168.90.194 > 203.22.142.26: ip-proto-50 76
Traffic coming in ok but all traffic on protocol 50 going out doesn't get
NAT'd.
At http://lannet2.lanrex.net.au/Drawing1.png you can see how the network
is structured.
Any one come across this before?
TIA,
Des.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
