<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Times New Roman, Times, serif">Hello,<br>
<br>
I'm having trouble getting locally-generated traffic to pass through
the IPSEC tunnel.<br>
<br>
The IPSEC gateway is 192.168.0.10 (internal on eth0), with x.x.x.x
(external on eth1).<br>
<br>
The other side is 192.168.3.1 (internal), with y.y.y.y (external).<br>
<br>
On 192.168.0.10, executing ping 192.168.3.102 is successful. I can see
the following packets with tcpdump:<br>
<br>
tcpdump -i eth1 host 192.168.3.102<br>
[packets from 192.168.3.102 back to 192.168.0.10, but no packets from
0.10 to 3.102]<br>
<br>
tcpdump -i eth1 host y.y.y.y<br>
[two sets of ESP packets, one set from x.x.x.x to y.y.y.y, and the
other set from y.y.y.y to x.x.x.x]<br>
<br>
I'm not sure why the first tcpdump command doesn't show packets from
0.10 to 3.102, but things work when this is the case.<br>
<br>
Now, I start sending UDP packets from 0.10 to 3.102 (this is an RTP
stream send from Asterisk running on 0.10, sip is bound only to 0.10,
not the external IP). In this case, I see:<br>
<br>
</font><font face="Times New Roman, Times, serif">tcpdump -i eth1 host
192.168.3.102<br>
[packets from 192.168.3.102 back to 192.168.0.10] - these packets are
received successfully, ie asterisk can hear me<br>
[packets from x.x.x.x to 192.168.3.102] - these packets disappear -
they never hit anywhere I can find in iptables, and they never reach
3.102, ie I can't hear asterisk<br>
<br>
</font><font face="Times New Roman, Times, serif">tcpdump -i eth1 host
y.y.y.y<br>
[two sets of ESP packets, </font><font
face="Times New Roman, Times, serif">one set from x.x.x.x to y.y.y.y,
and the other set from y.y.y.y to x.x.x.x]<br>
<br>
So, when the first tcpdump shows the stream from x.x.x.x to 3.102, this
is when I don't receive the packets.<br>
<br>
The problem began when I upgraded from Debian sarge to etch, upgrading
from kernel 2.4 to 2.6 in the process. Current versions are:<br>
<br>
PE1800:/etc/firehol# ipsec --version<br>
Linux Openswan U2.4.6/K2.6.18-6-686 (netkey)<br>
<br>
The netkey stuff seems very opaque to me, I'm not sure where to look to
see what is happening to the disappearing packets. They do not appear
in iptables (my rules log all dropped packets), and I was unable to fix
things by attempting to use routing tables and iptables nat rules to
modify the source address to 192.168.0.10 in an attempt to force the
packets through the tunnel.<br>
<br>
I'd appreciate some pointers on where to look to investigate further.<br>
<br>
James<br>
</font>
</body>
</html>