IPsec not working behind NAT
@luiz has the details, looks like a ESP fragment but it creates odd state with unknown IP address like:
enc0 icmp 184.108.40.206:6748 <- 172.27.10.20:6748 0:0
#2 Updated by Steve Wheeler 2 months ago
Also seeing this after upgrading to 2.4.
Initially unable to ping across the tunnel but a packet capture showed pings leaving over IPSec and replies coming back. The replies were being blocked in the firewall, not matching the state opened. By adding a rule to pass that reply traffic I am able ping but the state created is indeed very weird:
LAN icmp 172.21.16.5:6442 -> 172.27.34.10:6442 0:0 7 / 6 588 B / 504 B
IPsec icmp 172.21.16.5:6442 -> 172.27.34.10:6442 0:0 7 / 0 588 B / 0 B
IPsec icmp 172.27.34.10:6442 -> 220.127.116.11:6442 0:0 6 / 0 504 B / 0 B
Yet the ping replies are correctly routed back to 172.21.16.5.
Also for UDP traffic:
LAN udp 172.21.16.7:5060 -> 172.27.34.10:5060 MULTIPLE:MULTIPLE 904 / 691 593 KiB / 380 KiB
IPsec udp 172.21.16.7:5060 -> 172.27.34.10:5060 SINGLE:NO_TRAFFIC 904 / 0 593 KiB / 0 B
IPsec udp 172.27.34.10:5060 -> 18.104.22.168:5060 NO_TRAFFIC:SINGLE 648 / 0 356 KiB / 0 B
That VoIP works fine though.
For TCP traffic it appears each state only sees one half of the exchange so both block the out-of-state traffic. I had to add floating rules with direction any, flags any, and sloppy states in order to pass it.
Other users on that same IPSec server hitting the same resources are not seeing this problem. My end point is behind NAT so the tunnel uses NAT-T though.