From owner-freebsd-net@FreeBSD.ORG Wed Jan 25 21:07:22 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9091106567E for ; Wed, 25 Jan 2012 21:07:22 +0000 (UTC) (envelope-from mail@chdevelopment.se) Received: from smtpout3.tre.se (smtpout3.tre.se [80.251.192.232]) by mx1.freebsd.org (Postfix) with ESMTP id 402428FC1C for ; Wed, 25 Jan 2012 21:07:21 +0000 (UTC) Received: from free.paradise.x (109.58.39.88.bredband.tre.se [109.58.39.88]) by smtpout3.tre.se with ESMTP id q0PL7J9C013796-q0PL7J9D013796 for ; Wed, 25 Jan 2012 22:07:20 +0100 Message-ID: <4F206F04.8080805@chdevelopment.se> Date: Wed, 25 Jan 2012 22:07:16 +0100 From: Christer Hermansson User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0.1) Gecko/20111226 Firefox/9.0.1 SeaMonkey/2.6.1 MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Problem with nat traversal X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2012 21:07:22 -0000 I have problem with nat traversal. The server is directly connected to the Internet, the client is behind a gateway that use nat. The problem is that the server tries to respond to the clients internal private address 192.168.1.10, (and the ISP sends icmp messages back to the server, telling it blocks 192.168 addresses). (I don't have access to the real output from tcpdump right now...) tcpdump on the server shows something like this: client-ext-ip > srv-ext-ip UDP 500 srv-ext-ip UDP 500 > client-ext-ip client-ext-ip > srv-ext-ip UDP 500 srv-ext-ip UDP 500 > client-ext-ip client-ext-ip > srv-ext-ip UDP 4500 srv-ext-ip 4500 > client-INT-ip UDP icmp from isp-router telling client-INT-ip is filtered client-ext-ip > srv-ext-ip UDP 4500 srv-ext-ip 4500 > client-INT-ip UDP icmp from isp-router telling client-INT-ip is filtered client-ext-ip > srv-ext-ip UDP 4500 srv-ext-ip 4500 > client-INT-ip UDP icmp from isp-router telling client-INT-ip is filtered windump on the client with win7 shows something like this: client-ext-ip > srv-ext-ip UDP 500 srv-ext-ip UDP 500 > client-ext-ip client-ext-ip > srv-ext-ip UDP 500 srv-ext-ip UDP 500 > client-ext-ip client-ext-ip > srv-ext-ip UDP 4500 client-ext-ip > srv-ext-ip UDP 4500 client-ext-ip > srv-ext-ip UDP 4500 I get the same problem with FreeBSD 8.1R i386 + ipsec-tools 0.8.0 FreeBSD 8.2R amd64 + ipsec-tools 0.7.3 FreeBSD 8.2R amd64 + ipsec-tools 0.8.0 I have compiled the kernel with options IPSEC options IPSEC_DEBUG options IPSEC_FILTERTUNNEL options IPSEC_NAT_T device crypto device enc and I have "nat_traversal on" in racoon.conf. Why is the server trying to send packets to the clients internal address ?