Problem with nat traversal
Christer Hermansson
mail at chdevelopment.se
Wed Jan 25 21:06:44 UTC 2012
I have problem with nat traversal. The server is directly connected to
the Internet, the client is behind a gateway that use nat.
The problem is that the server tries to respond to the clients internal
private address 192.168.1.10, (and the ISP sends icmp messages back to
the server, telling it blocks 192.168 addresses).
(I don't have access to the real output from tcpdump right now...)
tcpdump on the server shows something like this:
client-ext-ip > srv-ext-ip UDP 500
srv-ext-ip UDP 500 > client-ext-ip
client-ext-ip > srv-ext-ip UDP 500
srv-ext-ip UDP 500 > client-ext-ip
client-ext-ip > srv-ext-ip UDP 4500
srv-ext-ip 4500 > client-INT-ip UDP
icmp from isp-router telling client-INT-ip is filtered
client-ext-ip > srv-ext-ip UDP 4500
srv-ext-ip 4500 > client-INT-ip UDP
icmp from isp-router telling client-INT-ip is filtered
client-ext-ip > srv-ext-ip UDP 4500
srv-ext-ip 4500 > client-INT-ip UDP
icmp from isp-router telling client-INT-ip is filtered
windump on the client with win7 shows something like this:
client-ext-ip > srv-ext-ip UDP 500
srv-ext-ip UDP 500 > client-ext-ip
client-ext-ip > srv-ext-ip UDP 500
srv-ext-ip UDP 500 > client-ext-ip
client-ext-ip > srv-ext-ip UDP 4500
client-ext-ip > srv-ext-ip UDP 4500
client-ext-ip > srv-ext-ip UDP 4500
I get the same problem with
FreeBSD 8.1R i386 + ipsec-tools 0.8.0
FreeBSD 8.2R amd64 + ipsec-tools 0.7.3
FreeBSD 8.2R amd64 + ipsec-tools 0.8.0
I have compiled the kernel with
options IPSEC
options IPSEC_DEBUG
options IPSEC_FILTERTUNNEL
options IPSEC_NAT_T
device crypto
device enc
and I have "nat_traversal on" in racoon.conf.
Why is the server trying to send packets to the clients internal address ?
More information about the freebsd-net
mailing list