Re: protocol 50 unreachable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Helge Weissig wrote:
I mean with "incomplete" that the tcpdump traffic I see does not show up in the logs. I used your rules at the end of your reply and see the same thing: ESP from VPN_SERVER hits $EXTIF, triggers the "protocol 50 unreachable" icmp response and no log entry ever shows up in the kernel log from the iptables log rule. I am suspecting that your option 3) is indeed the problem.

h.

It is possible that a conntrack already exists, or the packet can't be conntracked, so the packet doesn't pass through nat PREROUTING.

Try putting the log rule in the mangle PREROUTING chain.
If they do match a log rule here, check if they are invalid
with -m conntrack --ctstate INVALID.

Also check if there are any esp conntracks in /proc/net/ip_conntrack

--
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux