Last week we did a fresh gentoo install, using stage3-x86-2005.1, portage-20051206 and ipsec-tools-0.6.3, ipv4, iptables-1.3.4, on a machine used as a router/gateway + VPN-client.

While using ipsec in tunnel mode with NAT-T (udp 4500), we use iptables POSTROUTING/SNAT for the gateway/router function on the same interface (eth0).

Strange behaviour: on linux-2.6.14-gentoo-r2 ipsec UDP/4500 packets are being sent out to a (seemingly) random UDP-port, instead of to UDP/4500. As a result a ping originating from this VPN-gateway through the tunnel cannot reach the VPN-server, as the UDP packets are not targeted to port 4500, but some weird port number (eg. 63542), disappearing into nowhere. In fact, each time I start a new ping, a different (random?) port number is used....(!).

However a ping from the VPN-gateway through the tunnel works fine! UDP-encapsulated packets travel between UDP/4500 <-> UDP/4500 as expected.

When the POSTROUTING rule is removed, the problem is disappears, however the NAT-gateway function is lost (obviously).

The problem was fixed by installing vanilla linux-2.4.13-3 kernel, with same .config (make oldconfig). I have other machines running on linux-2.6.12-10 as well with same configuration without problems.