Last week we did a fresh gentoo install, using stage3-x86-2005.1, portage-20051206 and ipsec-tools-0.6.3, ipv4, iptables-1.3.4, on a machine used as a router/gateway + VPN-client. While using ipsec in tunnel mode with NAT-T (udp 4500), we use iptables POSTROUTING/SNAT for the gateway/router function on the same interface (eth0). Strange behaviour: on linux-2.6.14-gentoo-r2 ipsec UDP/4500 packets are being sent out to a (seemingly) random UDP-port, instead of to UDP/4500. As a result a ping originating from this VPN-gateway through the tunnel cannot reach the VPN-server, as the UDP packets are not targeted to port 4500, but some weird port number (eg. 63542), disappearing into nowhere. In fact, each time I start a new ping, a different (random?) port number is used....(!). However a ping from the VPN-gateway through the tunnel works fine! UDP-encapsulated packets travel between UDP/4500 <-> UDP/4500 as expected. When the POSTROUTING rule is removed, the problem is disappears, however the NAT-gateway function is lost (obviously). The problem was fixed by installing vanilla linux-2.4.13-3 kernel, with same .config (make oldconfig). I have other machines running on linux-2.6.12-10 as well with same configuration without problems.
not devrel related
Quick change of platform in bugzilla. Sorry about the email.
Is this reproducible on gentoo-sources-2.6.15?
Please reopen when you respond to comment #3
Sidenote: you should actually test the latest development kernel instead of 2.6.15. THis is currently 2.6.16-rc1