protocol 50 unreachable


I have been searching for information about this problem high and low but came up dry. Basically, I am trying to connect to a VPN server via ipsec from behind a NAT firewall set up on a Linux (kernel 2.4.x) box with iptables. I have no problem establishing the connection via port

500 as this is initiated by the client. However, I cannot seem to get protocol 50 (ESP) to work, independent of whether the ipsec tunnel is established or not. I have tried every incantation of iptables rules I could find, to no avail. When I set up tcdump on both interfaces on my server as well as on the client behind it, a port I have opened for forwarding responds as expected. If I run 'nmap -sO' from somewhere outside however, it will report protocol 50 as open although the external interface reports a 'icmp: xx.xx.xx.xx protocol 50 unreachable' response and the two other interfaces never see the traffic.

Here is my current iptables configuration


echo "Enabling PORTFW Redirection on the external LAN.." $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p esp -j ACCEPT $IPTABLES -A PREROUTING -t nat -d $VPN_SERVER -p esp -j DNAT \\ --to-destination $VPN_CLIENT

echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \\ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

here is the tcpdump info I see on $EXTIF:

10:23:09.234937 (vpn server ip) > (my ip): ESP(spi=0x00000000,seq=0x0) 10:23:09.235055 (my ip) > (vpn server ip): icmp: (my ip) protocol 50 unreachable [tos 0xc0]

(these are empty packets sent by nmap but it looks the same for legit ones coming from the vpn server ip). FWIW, when the ipsec tunnel is established and I try to ping the a host behind the vpn server, I see the outgoing packets on all three interfaces, but not response.

thanks for any information or pointers in advance! h.

