[Firehol-support] Packetloss in NAT Gateway between OpenVPN and IPSec
Phil Whineray
phil at firehol.org
Mon Dec 4 07:27:54 GMT 2017
Hi Marcel
I can't see anything specifically wrong. I will say what little I can see
that seems odd to me and maybe it will help you find the problem.
On Sun, Dec 03, 2017 at 09:58:40PM +0000, Marcel Sander wrote:
[snip]
> router ovpn2ipsec inface tun0 outface tap0
I believe this is the interface pair you are routing between?
[snip]
> [ 8361.243383] BLOCKED INVALID IN:IN=ens3 OUT= MAC=[...] SRC=10.105.4.118 DST=10.117.250.10 LEN=56 TOS=0x00 PREC=0x00 TTL=128 ID=8506 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.117.250.10 DST=10.105.4.118 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=21757 DF FRAG:8031 PROTO=ICMP ]
Yet this shows blocking an ICMP message from ens3. INVALID means that
the packet can't be identified or that it does not have any state.
The ICMP reply shown blocked is not an echo reply: type 3 is a Destination
Unreachable.
Maybe refine the tcpdump captures you are doing to check the packet
is entering and leaving the interfaces as you expect?
Hope that helps
Phil
More information about the Firehol-support
mailing list