[Fwd: Openswan, iptables (fiaif) and 2.6.16 kernel problem]

Laurent CARON email hidden
Tue Apr 18 20:55:16 CEST 2006 


-------- Original Message --------
Subject: Openswan, iptables (fiaif) and 2.6.16 kernel problem
Date: Mon, 17 Apr 2006 19:18:22 +0200
From: Laurent CARON <lcaron at gw.unix-scripts.info>
To: Debian Bug Tracking System <submit at bugs.debian.org>

Package: fiaif
Version: 1.20.1-2
Severity: important



Hi,

I'm running an openswan gateway for quite a long time now.

I have used 2.4.X and 2.6.X kernels without any problem until i decided
to upgrade to 2.6.16 kernel.

Summary of problem:

Under 2.6.15 everything is fine

Under 2.6.16 my tunnels establish well, but i can't even ping a single
computer located on the other end of the tunnel when the firewall is up.
Disabling the firewall solves the problem (but is not an option for me).

$ cat ip_conntrack | grep 192.168.10
icmp     1 8 src=192.168.0.192 dst=192.168.10.1 type=8 code=0 id=793
packets=4 bytes=116 [UNREPLIED] src=192.168.10.1 dst=XXX.XXX.XXX.XXX
type=0 code=0 id=793 packets=0 bytes=0 mark=0 use=1

192.168.0.0/24 is my lan subnet (natted so that lan computers can access
the internet through the public ip address)
192.168.0.192 is a workstation on my lan
192.168.10.0/24 is the other subnet
XXX.XXX.XXX.XXX is my public ip address


If i disable the nat of 192.168.0.0/24, i can ping the other end.

Re-enabling the nat however disables the ability to ping the other end.

Seems iptables is trying to nat packets the wrong way :$, or that I
missed a major change in 2.6.16.

*******************************************

Here is the answer from the kernel team:

No, it isn't a normal behaviour.
Patrick Mchardy ipsec patches were integrated in 2.6.16 and now
netfilter properly sees both esp & clear packets. This is a
drawback of your firewall/snat rules.

Adding it to fiaif.conf solves the problem (post start script):

iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -d 192.168.10.0/24 -j 
ACCEPT


-- Package-specific info:

-- System Information:
Debian Release: testing/unstable
   APT prefers unstable
   APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-a7n-v3
Locale: LANG=fr_FR at euro, LC_CTYPE=fr_FR at euro (charmap=ISO-8859-15)

Versions of packages fiaif depends on:
hi  bash                         3.0-15      The GNU Bourne Again SHell
hi  coreutils                    5.2.1-2.1   The GNU core utilities
ii  cron                         3.0pl1-94   management of regular 
background p
ii  debconf [debconf-2.0]        1.4.72      Debian configuration 
management sy
ii  debianutils                  2.15.5      Miscellaneous utilities 
specific t
ii  dnsutils                     1:9.3.2-2   Clients provided with BIND
ii  grep                         2.5.1.ds2-4 GNU grep, egrep and fgrep
ii  iptables                     1.3.3-2     Linux kernel 2.4+ iptables 
adminis
ii  logtail                      1.2.43a     Print log file lines that 
have not
ii  net-tools                    1.60-17     The NET-3 networking toolkit
ii  sed                          4.1.4-7     The GNU sed stream editor
hi  wget                         1.10.1-1    retrieves files from the web

fiaif recommends no packages.

-- debconf information:
   fiaif/cron_logfile:
* fiaif/warning:
* fiaif/enable_cron: false
* fiaif/enable_initd: true

More information about the fiaif mailing list