[Firehol-support] Packetloss in NAT Gateway between OpenVPN and IPSec

Marcel Sander me at marcel-sander.eu
Sun Dec 3 21:58:40 GMT 2017


I'd like to setup a gateway between an IPSec-network (external network) and an OpenVPN-network (internal users).
The connections to the IPSec network should be NATed.

When trying to ping a host in the IPSec network from another client in the OpenVPN network, I'm seeing 100% packet loss.
I have collected some debugging infos and would be very happy if someone with more experience has a hint for me.


#Router, tap0 (ipsec), tun0 (ovpn),
#Other OpenVPN Client,
#Host behind ipsec,

~# cat /etc/firehol/firehol.conf
version 6


interface ens3 world
 client all accept
 server ssh accept

interface tun0 openvpn
 client all accept
 server all accept

interface tap0 ipsec
 client all accept
 server all accept

router ovpn2ipsec inface tun0 outface tap0
 route all accept
(Other OpenVPN client)
~# ping
PING ( 56(84) bytes of data.
--- ping statistics ---
159 packets transmitted, 0 received, 100% packet loss, time 159218ms

~# tcpdump -vveni any icmp
20:36:05.576942 In ethertype IPv4 (0x0800), length 100: > ICMP echo request, id 23695, seq 789, length 64
20:36:05.590995 In 10:0e:7e:26:f1:c0 ethertype IPv4 (0x0800), length 100: > ICMP echo reply, id 23695, seq 789, length 64

~# cat /proc/net/nf_conntrack
ipv4 2 icmp 1 29 src= dst= type=8 code=0 id=23695 src= dst= type=0 code=0 id=23695 mark=0 zone=0 use=2

~# netstat-nat -Nn
Proto NATed Address NAT-host Address Destination Address State

~# dmesg
[ 8361.243383] BLOCKED INVALID IN:IN=ens3 OUT= MAC=[...] SRC= DST= LEN=56 TOS=0x00 PREC=0x00 TTL=128 ID=8506 PROTO=ICMP TYPE=3 CODE=3 [SRC= DST= LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=21757 DF FRAG:8031 PROTO=ICMP ]

More information about the Firehol-support mailing list