I'm attempting to use a Nortel Contivity VPN Client on a box behind OpenWRT, still a mostly default setup on WhiteRussian RC4. (And unfortunately, there doesn't seem to be any "NAT Traversal" option available on my client configuration.)
The problem starts when I try to setup "DMZ" forwarding. (See http://forum.openwrt.org/viewtopic.php?id=4030 for more details.) The moment I do this, I start seeing the following errors, as reported by tcpdump:
tcpdump -i vlan1 host (vpn) -N
...
01:13:47.298478 IP (vpn) > (my_wan_ip): ESP(spi=0x...,seq=0x1)
01:13:47.299151 IP (my_wan_ip) > (vpn): icmp 128: (my_wan_ip) protocol 50 port 58887 unreachable
(Sometimes it just says "protocol 50 unreachable" without the port #, sometimes it shows it with as above - not sure why...)
Here's the relevant information from my firewall.user:
### IPSEC-DMZ Fix
iptables -t nat -A postrouting_rule -p esp -j ACCEPT
### Allow ping from WAN for testing.
iptables -A input_rule -d $WAN_IP -p icmp --icmp-type echo-request -j ACCEPT
### DMZ (should be placed after port forwarding / accept rules)
iptables -t nat -A prerouting_rule -d $WAN_IP -j DNAT --to $DMZ_IP
iptables -A forwarding_rule -d $DMZ_IP -j ACCEPT
iptables -t nat -A postrouting_rule -s (my subnet) -d $DMZ_IP -j MASQUERADE
Here's the interesting part: Having this in /etc/firewall.user during reboot seems to cause the VPN to fail regardless of whatever I do later. If I use the default firewall.user, reboot, copy it to /tmp, make changes, then run the script, things seem to work fine. I've repeated this with duplicate results several times. Even having the above changes in /etc/firewall.user, and calling it again doesn't work - having the changes there during boot seems to be the issue.
Is there something happening differently between having this run during reboot or configuring it later? Supposedly everything in iptables is being flushed due to the -F's at the top of the file.
(Note that this did NOT work any better under the native Linksys firmware - which is reason that compelled me to try OpenWrt in the first place. At least here, I have the ability to debug...)
Edit:
Another thing I just found. Looking at the tcpdump logs again, sometimes the logs show everything coming from me as having my external WAN IP address - other times they are appearing as having the computer's LAN IP address. I've not been able to find a reason for this one way or another. I'm really down to only trying to configurations - my modified version (above) and the default from /rom/etc/firewall.user. However, I may see either the WAN or LAN IP address under either firewall.user version. I have NO IDEA why this changes. (2 configuration possibilities seem to be resulting in 6+ types of packet dumps.)
Any suggestions would be greatly appreciated - thanks!!
(Last edited by ziesemer on 16 Jan 2006, 09:55)