[Firehol-support] Packetloss in NAT Gateway between OpenVPN and IPSec

Marcel Sander me at marcel-sander.eu
Sun Dec 3 21:58:40 GMT 2017


Hi,

I'd like to setup a gateway between an IPSec-network (external network) and an OpenVPN-network (internal users).
The connections to the IPSec network should be NATed.

When trying to ping a host in the IPSec network from another client in the OpenVPN network, I'm seeing 100% packet loss.
I have collected some debugging infos and would be very happy if someone with more experience has a hint for me.

Thanks,

Marcel
#Router, tap0 (ipsec) 10.117.250.10, tun0 (ovpn),10.8.0.102
#Other OpenVPN Client, 10.8.0.1
#Host behind ipsec, 10.105.4.118

(Router)
~# cat /etc/firehol/firehol.conf
version 6

FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3=0

interface ens3 world
 client all accept
 server ssh accept

interface tun0 openvpn
 client all accept
 server all accept

interface tap0 ipsec
 client all accept
 server all accept

router ovpn2ipsec inface tun0 outface tap0
 masquerade
 route all accept
(Other OpenVPN client)
~# ping 10.105.4.118
PING 10.105.4.118 (10.105.4.118) 56(84) bytes of data.
^C
--- 10.105.4.118 ping statistics ---
159 packets transmitted, 0 received, 100% packet loss, time 159218ms

(Router)
~# tcpdump -vveni any icmp
[...]
20:36:05.576942 In ethertype IPv4 (0x0800), length 100: 10.8.0.1 > 10.105.4.118: ICMP echo request, id 23695, seq 789, length 64
20:36:05.590995 In 10:0e:7e:26:f1:c0 ethertype IPv4 (0x0800), length 100: 10.105.4.118 > 10.117.250.10: ICMP echo reply, id 23695, seq 789, length 64

~# cat /proc/net/nf_conntrack
[...]
ipv4 2 icmp 1 29 src=10.8.0.1 dst=10.105.4.118 type=8 code=0 id=23695 src=10.105.4.118 dst=10.117.250.10 type=0 code=0 id=23695 mark=0 zone=0 use=2

~# netstat-nat -Nn
Proto NATed Address NAT-host Address Destination Address State
icmp 10.8.0.1 10.117.250.10 10.105.4.118

~# dmesg
[...]
[ 8361.243383] BLOCKED INVALID IN:IN=ens3 OUT= MAC=[...] SRC=10.105.4.118 DST=10.117.250.10 LEN=56 TOS=0x00 PREC=0x00 TTL=128 ID=8506 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.117.250.10 DST=10.105.4.118 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=21757 DF FRAG:8031 PROTO=ICMP ]



More information about the Firehol-support mailing list