I hope I can articulate my problem is as few words as needed.
I have two networks, each with their own firewalls and a IPsec connection between them
192.168.100.1 is one firewall(F8). It is also a virtual machine host for the web server: 192.168.100.5(F10)
192.168.700.1(F6) is my other firewall. 192.168.700.2(F6) is an application server behind it.
I have an OpenSwan 2.4.9 IPsec connection between these networks.
I have iptable forwarding rules that redirect any port 80 or 443 traffic directed at 192.168.100.1 towards 192.168.100.5 and source masquerading in the other direction
Code:
$IPT=/sbin/iptables
$IPT -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF --dport 80 -o $INIF -d 192.168.100.5 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -dport 80 -d 110.150.200.3 -j DNAT --to-destination 192.168.100.5:80
$IPT -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF --dport 443 -o $INIF -d 192.168.100.5 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -dport 443 -d 110.150.200.3 -j DNAT --to-destination 192.168.100.5:443
$IPT -t nat -A POSTROUTING -d 192.168.100.5 -o $INIF -j SNAT --to-source 192.168.100.1
Sporatically, a warning from my app server will say that 192.168.100.1 is down.
I'll ping 192.168.100.1 from my firewall (192.168.700.1) and all will be well
If I ping from the app server (192.168.700.2), no response happens.
When I do a:
Code:
traceroute 192.168.100.1
from 192.168.700.2
I get:
Code:
traceroute to 192.168.100.1 (192.168.100.1), 30 hops max, 60 byte packets
1 wall.mysystem.com (192.168.700.1) 0.134 ms 0.061 ms 0.072 ms
2 192.168.100.5 (192.168.100.5) 25.826 ms 26.041 ms 26.025 ms
The funny(strange) thing is if I perform a
Code:
service ipsec restart
This fixes things but only for a while.
Ditto with
Code:
service firestarter restart
Yet if I ignore the warning messages my server spews, the problem - whatever it is - fixes itself.
Any thoughts?
Specific additional info can be provided upon request.
Cheers
Iptables forwarding flapping
Linear Mode
