[Bug 234016] New: ping accross NAT IPSec not possible from IPSec machine until timeout occurs
https://bugzilla.novell.com/show_bug.cgi?id=234016 Summary: ping accross NAT IPSec not possible from IPSec machine until timeout occurs Product: openSUSE 10.2 Version: RC 5 Platform: All OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: eich@novell.com QAContact: qa@suse.de Setup: machine1: * IPSec tunnel with nat traversal from 10.204.0.41/32 to 10.0.0.0/8 network. * Local IP: 192.168.178/24, * ip forwarding enabled, * route contains: 192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.22 10.0.0.0/8 dev eth0 scope link src 10.204.0.41 127.0.0.0/8 dev lo scope link default via 192.168.178.1 dev eth0 * NAT on machine1: -A POSTROUTING -d 10.0.0.0/255.0.0.0 -j SNAT --to-source 10.204.0.41 machine2: * Local IP: 192.168.178.24/24, * route contains: 10.0.0.0/8 via 192.168.178.22 dev eth0 ping to 10.10.0.79 from machine2 works; subsequent ping to 10.10.0.79 from machine 1 doesn't work until timeout is expired (~ >30min). tcpdump on machine1 shows: 13:40:16.784443 IP 195.135.221.4.4500 > 192.168.178.22.4500: UDP-encap: ESP(spi=0xfa44d05f,seq=0x75), length 132 13:40:16.784443 IP 10.10.0.90 > 10.204.0.41: ICMP echo reply, id 21347, seq 73, length 64 13:40:16.784569 IP 10.10.0.90 > machine2: ICMP echo reply, id 21347, seq 73, length 64 Which seems to indicate that the connection tracker has stored machine2 as destination address for icmp replies. The other way around works: ping to 10.10.0.90 from machine1 works, subsequent ping to 10.10.0.90 from machine1 works, subsequent ping to 10.10.0.90 from machine1 still works, even simultanious pings work. Thus pings only work from IPsec/NAT machine when done from this machine first. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234016 gregkh@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kernel- |perex@novell.com |maintainers@forge.provo.nove| |ll.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234016 ------- Comment #1 from eich@novell.com 2007-03-21 03:38 MST ------- Any progress on this? I've got another problem that seems to be related to this one but is a lot more annoying. I cannot register my SIP account if the connection until the timeout has expired if the connection information is bogus: udp 17 3599 src=192.168.168.1 dst=10.10.1.72 sport=5060 dport=5060 packets= 57 bytes=39534 [UNREPLIED] src=10.10.1.72 dst=192.168.168.1 sport=5060 dport=506 0 packets=0 bytes=0 mark=0 secmark=0 use=4 A timeout of 3600 seconds for an unreplied connection seems *insanely* long. I would be fine if I knew how to manually nuke entries from the conntrack table. If you think this one is unrelated let me know I can file another ticket. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234016 sndirsch@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mhopf@novell.com, sndirsch@novell.com ------- Comment #2 from sndirsch@novell.com 2007-05-12 04:42 MST ------- JFYI, Matthias. This is a bugreport, which is assigned to Egbert/me or with Egbert/me in CC or reported by Egbert/me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234016
Jiri Kosina
https://bugzilla.novell.com/show_bug.cgi?id=234016
User jbohac@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=234016#c4
Jiri Bohac
https://bugzilla.novell.com/show_bug.cgi?id=234016
User eich@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=234016#c5
--- Comment #5 from Egbert Eich
https://bugzilla.novell.com/show_bug.cgi?id=234016
User aj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=234016#c6
Andreas Jaeger
participants (1)
-
bugzilla_noreply@novell.com