A little help from my friends. Here's the correspondence with Rob White in the netfilter listserv:
> Stupid questions:
>
> (0) Have you tried the ping from the firewall or from a separate host, or from both.
>
> Packets coming in down from the top (e.g. originating on the local host) are sometimes weird.
>
> I would. at the least, turn on logging of reverse path filtering.
>
>
http://tldp.org/HOWTO/Adv-Routing-HO...ernel.rpf.html
>
> You may find that one of these options -- e.g. the one you aren't currently using in the test -- works when the other does not. If so you know where you need to concentrate.
>
>
> (1) What does /proc/sys/net/ipv4/conf/vti0/forwarding say? how about .../lo0/...?
>
> If /proc/sys/net/ipv4/conf/default/forwarding=1 was not true when the interface was configured, or if some option in the configuration is turning it off... well that could prevent output.
>
> (2) Have you configured vti_routing=yes (or equivelent) in the necessary config file for libreswan (or whatever you are using)?
>
> Routing incoming packets out a VPN is usually _not_ the default.
>
> (3) Does "iptables -t nat --list -v" show the counters on the DNAT rule increasing when you initiate the ping?
>
> (4) have you tried adding a "--match conntrack --ctstate DNAT -j LOG"
>
>
> (5) What's with ext0:10?
>
> Virtual ethernet adapters are so last century. 8-)
>
> More seriously, is this a residue from something like an old configuration scripting scheme? It's better for everything to just add the extra address to the base interface. A simple "ip address add dev eth0 172.30.5.206/24" would be much better.
>
> For example, to talk to my cable modem's maintenance interface...
>
> # ip address add dev ext0 192.168.100.5/24
> # ip address show ext0
> 7: ext0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group 1 qlen 1000
> link/ether 00:1b:21:98:04:af brd ff:ff:ff:ff:ff:ff
> inet 73.109.XXX.XXX/21 brd 255.255.255.255 scope global ext0
> valid_lft forever preferred_lft forever
> inet 192.168.100.5/24 scope global ext0
> valid_lft forever preferred_lft forever
> inet6 fe80::21b:21ff:fe98:4af/64 scope link
> valid_lft forever preferred_lft forever
>
>
> (6) Does /proc/sys/net/ipv4/conf/*/route_localhost settings alter your ping test?
>
> (7) Have you tried any connections types other than ping?
>
>
>
> ---
>
> That's pretty much the list of starting places that came to mind. Hope this helped.
>
> -Rob.
__________________________________________________________________________________________________
Hi Robert,
I have to tell you I am so happy to know that Linux does RP filter by default. It gave me flashbacks to CCIE multicast routing troubleshooting. I changed it:
root@ip-172-30-5-161:/home/ubuntu# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do cat $i; done
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
root@ip-172-30-5-161:/home/ubuntu#
(0) Have you tried the ping from the firewall or from a separate host, or from both.
Yes. I have a GRETAP sessions each way actually working(that wasn't easy). Though unrelated, iptables/NF would be well served to add clear-DF-bit function. I'm pulling packets out of kernel space with nf-queue to clear df-bit, recalc checksum, and send on. It's gross. #MTUhell
(1) What does /proc/sys/net/ipv4/conf/vti0/forwarding say? how about .../lo0/...?
root@ip-172-30-5-161:/home/ubuntu# cat /proc/sys/net/ipv4/conf/vti1/forwarding
1
root@ip-172-30-5-161:/home/ubuntu# cat /proc/sys/net/ipv4/conf/lo/forwarding
1
(2) Have you configured vti_routing=yes (or equivelent) in the necessary config file for libreswan (or whatever you are using)?
That was a good idea! I checked with the strongswan and found this recommendation. (
https://wiki.strongswan.org/projects.../RouteBasedVPN)
sysctl -w net.ipv4.conf.<name>.disable_policy=1
root@ip-172-30-5-161:/home/ubuntu# cat /proc/sys/net/ipv4/conf/vti1/disable_policy
1
Sadly it didnt fix the problem.
(3) Does "iptables -t nat --list -v" show the counters on the DNAT rule increasing when you initiate the ping?
It increases by 1, then drops. Here are two ping test(4 pings each) about a 2 mins apart.
root@ip-172-30-5-161:/home/ubuntu# iptables -t nat -S -v
-P PREROUTING ACCEPT -c 1720 103200
-P INPUT ACCEPT -c 1720 103200
-P OUTPUT ACCEPT -c 65 4353
-P POSTROUTING ACCEPT -c 68 4533
-A PREROUTING -d 172.30.5.206/32 -c 3 180 -j DNAT --to-destination 172.21.0.25
-A PREROUTING -d 172.30.5.206/32 -c 0 0 -j DNAT --to-destination 172.21.0.1
(4) have you tried adding a "--match conntrack --ctstate DNAT -j LOG"
Yes.
(5) What's with ext0:10?
Virtual ethernet adapters are so last century. 8-)
Yeah, I'm an old guy.
(6) Does /proc/sys/net/ipv4/conf/*/route_localhost settings alter your ping test?
No
(7) Have you tried any connections types other than ping?
Yes. SSH also fails.
All that said, there is good news! After disallowing RP check, disabling policies and changing the traffic selectors in strongswan, it's working great. Thanks a bunch for your time! I really appreciate it.
Chris