NAT troubles

To: debian-firewall@lists.debian.org
Subject: NAT troubles
From: Sergey Dorofeev <sergey@fidoman.ru>
Date: Thu, 10 Apr 2008 18:52:10 +0400
Message-id: <200804101852.10867.sergey@fidoman.ru>

Hello.

I striked some NAT trouble and see no way even how to dig it.
Situation:
I am running a gateway, which serves as firewall between LAN and Internat and 
also as endpoint for multiple GRE tunnels. Traffic incapsulated in GRE is 
encrypted with IPSEC policies. Routes are made with OSPF (quagga).
Everything work fine.
And some in LAN host pings through NAT remote gateway (remote ends of 
tunnels). May be he is concerned is some way.
Problem:
In some time one of tunnels gets down.
No traffic passes over GRE, but I can see incoming ESP packets.
And I see strange NAT in iptstate:
                                                                     
IPTState - IPTables State Top
Version: 2.1          Sort: SrcIP           b: change sorting   h: help
Filters: dst: 212.120.191.5
Source                 Destination     Proto   State       TTL
81.211.28.162    212.120.191.5      esp           0:09:54
172.16.16.11      212.120.191.5      gre            0:09:54

The first row represents valid track for esp traffic.
But I have no clues for cause of second record.
I have in iptables disabled GRE forwarding, host 172.16.16.11 has no GRE 
configured at all. Only ICMP packets travels through NAT.

# uname -a
Linux gw.prodo.ru 2.6.18-6-686 #1 SMP Sun Feb 10 22:11:31 UTC 2008 i686 
GNU/Linux

I recently reinstalled from scratch 172.16.16.11 but problem persisted (as on 
old address that was 172.16.16.9)

If I delete tunnels on both system, wait for TTL expire and recreate, all 
works. Until some moment X, when problem resurvives.

Reply to:

Prev by Date: Re: Can't get iptables LOG
Next by Date: Re: Can't get iptables LOG
Previous by thread: Re: Can't get iptables LOG
Index(es):
- Date
- Thread