[Openswan Users] strange problem with openswan and local services on vpn gateway

[Paul Wouters]

On Fri, 1 Jul 2011, M L wrote:

> When I run tcpdump on my eth0 at vpn I see encrypted packed and
> immediately decrypted packet (note the same timestamp):
>
> 21:36:57.529540 IP A.B.C.D > 192.168.2.191:
> ESP(spi=0x9a4e3b51,seq=0x3d), length 92
> 21:36:57.529540 IP 192.168.106.133.41233 > 192.168.101.113.443: S
> 3350716436:3350716436(0) win 5840 <mss 1360,sackOK,timestamp
> 1002325407 0,nop,wscale 6>
>
> above 2 lines are repeated many times (syn w/o ack ?)
> It's looks like packet are not "delivered" to upper layer and
> connection to apache process (at 443 port) is not established. I don't
> use any iptables filter rules,
> default policy is ACCEPT for all chains.
> First my thoughts was: packed are droped (unknown reason) before
> reaching INPUT chain, but when I add a testing rule:
>
> iptables -I INPUT  -i eth0 -d 192.168.101.113 -p tcp   --dport 443 -j REJECT
>
> my peer gets connection refused (before was only timeout), and tcpdump
> shows extra reply packed (timestamp 22:02:09.553417):
>
> 22:02:09.553073 IP A.B.C.D > 192.168.2.191:
> ESP(spi=0xa8fd34e3,seq=0x27), length 92
> 22:02:09.553073 IP 192.168.106.133.45105 > 192.168.101.113.443: S
> 1302153132:1302153132(0) win 5840 <mss 1360,sackOK,timestamp
> 1002703423 0,nop,wscale 6>
> 22:02:09.553417 IP 192.168.2.191 > A.B.C.D:
> ESP(spi=0x0c356e78,seq=0x69), length 124  <-- (connection refused
> reply packed?)
>
> So above is the proof that packed travel via INPUT chain, so I removed
> testing REJECT rule.
>
> Which possible reasons (when nothing is filtered) could cause such
> problems that packed is delivered to INPUT chain but connection is not
> "passed"
> to application layer?

mtu size? Try lowering the mtu on the ipsec gw to 1460?

Or use TCP clamping, like:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1460

Or use the mtu= option in openswan 2.6.34 and higher.

Paul