protocol 50 unreachable


I have been searching for information about this problem high and low but came up dry. Basically, I am trying to connect to a VPN server via ipsec from behind a NAT firewall set up on a Linux (kernel 2.4.x) box with iptables. I have no problem establishing the connection via port

500 as this is initiated by the client. However, I cannot seem to get protocol 50 (ESP) to work, independent of whether the ipsec tunnel is established or not. I have tried every incantation of iptables rules I could find, to no avail. When I set up tcdump on both interfaces on my server as well as on the client behind it, a port I have opened for forwarding responds as expected. If I run 'nmap -sO' from somewhere outside however, it will report protocol 50 as open although the external interface reports a 'icmp: xx.xx.xx.xx protocol 50 unreachable' response and the two other interfaces never see the traffic.

Here is my current iptables configuration


echo "Enabling PORTFW Redirection on the external LAN.." $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p esp -j ACCEPT $IPTABLES -A PREROUTING -t nat -d $VPN_SERVER -p esp -j DNAT \\ --to-destination $VPN_CLIENT

echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \\ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

here is the tcpdump info I see on $EXTIF:

10:23:09.234937 (vpn server ip) > (my ip): ESP(spi=0x00000000,seq=0x0) 10:23:09.235055 (my ip) > (vpn server ip): icmp: (my ip) protocol 50 unreachable [tos 0xc0]

(these are empty packets sent by nmap but it looks the same for legit ones coming from the vpn server ip). FWIW, when the ipsec tunnel is established and I try to ping the a host behind the vpn server, I see the outgoing packets on all three interfaces, but not response.

thanks for any information or pointers in advance! h.

Reply to
Helge Weissig
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.