Problem with openconnect and NAT for HTTP requests

Mark Round mark at creativitysoftware.net
Thu Jan 12 04:36:05 EST 2012 

Hi all,

I'm hoping somebody here may be able to point me in the right direction, 
as I've been banging my head against a brick wall for a few days now. I 
have OpenConnect running on my Ubuntu 11.10 system, and it works fine 
(connect parameters posted below). The problem comes when I want to use 
my PC as a gateway for other systems on my local network - effectively 
performing NAT between the eth0 and tun0 interfaces. After connecting, I 
run the following :

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sysctl -w net.ipv4.ip_forward=1

I then log into another system and route traffic to the remote VPN 
through my Ubuntu openconnect system. This appears to work fine for 
ICMP, SSH, MySQL and so on - but for some reason, I cannot seem to NAT 
HTTP traffic. On the Ubuntu gateway itself, HTTP access works as 
expected - no problems. From the "client" system, a simple cURL request 
just hangs. A tcpdump of the traffic shows that it does seem to be 
reaching the remote server on the VPN (and I see a "hit" in the Apache 
logs), but nothing much happens after that.

If anyone has any ideas how I should start to troubleshoot this, I'd 
very much appreciate it!

Here's the simple tcpdump output from the client behind the openconnect 
"gateway" :

09:31:05.385701 IP (tos 0x0, ttl 64, id 26318, offset 0, flags [DF], 
proto TCP (6), length 60)
     192.168.16.210.40521 > 10.132.112.16.http: Flags [S], cksum 0xce27 
(correct), seq 213837445, win 5840, options [mss 1460,sackOK,TS val 
80838731 ecr 0,nop,wscale 7], length 0
09:31:05.804517 IP (tos 0x0, ttl 50, id 0, offset 0, flags [DF], proto 
TCP (6), length 60)
     10.132.112.16.http > 192.168.16.210.40521: Flags [S.], cksum 0x7672 
(correct), seq 1719559033, ack 213837446, win 5792, options [mss 
1380,sackOK,TS val 940529181 ecr 80838731,nop,wscale 7], length 0
09:31:05.804542 IP (tos 0x0, ttl 64, id 26319, offset 0, flags [DF], 
proto TCP (6), length 52)
     192.168.16.210.40521 > 10.132.112.16.http: Flags [.], cksum 0xb9be 
(correct), seq 1, ack 1, win 46, options [nop,nop,TS val 80839149 ecr 
940529181], length 0
09:31:05.804639 IP (tos 0x0, ttl 64, id 26320, offset 0, flags [DF], 
proto TCP (6), length 221)
     192.168.16.210.40521 > 10.132.112.16.http: Flags [P.], cksum 0x4cde 
(incorrect -> 0x86a4), seq 1:170, ack 1, win 46, options [nop,nop,TS val 
80839150 ecr 940529181], length 169
09:31:06.582903 IP (tos 0x0, ttl 50, id 35919, offset 0, flags [DF], 
proto TCP (6), length 52)
     10.132.112.16.http > 192.168.16.210.40521: Flags [.], cksum 0xb609 
(correct), seq 1, ack 170, win 54, options [nop,nop,TS val 940529952 ecr 
80839150], length 0
09:31:06.584539 IP (tos 0x0, ttl 50, id 35923, offset 0, flags [DF], 
proto TCP (6), length 1188)
     10.132.112.16.http > 192.168.16.210.40521: Flags [FP.], cksum 
0x04c7 (correct), seq 4105:5241, ack 170, win 54, options [nop,nop,TS 
val 940529953 ecr 80839150], length 1136
09:31:06.584550 IP (tos 0x0, ttl 64, id 26321, offset 0, flags [DF], 
proto TCP (6), length 64)
     192.168.16.210.40521 > 10.132.112.16.http: Flags [.], cksum 0xc47c 
(correct), seq 170, ack 1, win 46, options [nop,nop,TS val 80839929 ecr 
940529952,nop,nop,sack 1 {4105:5242}], length 0
09:31:21.589638 IP (tos 0x0, ttl 64, id 4969, offset 0, flags [DF], 
proto TCP (6), length 64)
     192.168.16.210.58192 > 10.132.112.16.http: Flags [F.], cksum 0x06d7 
(correct), seq 2265467025, ack 1690888712, win 46, options [nop,nop,TS 
val 80854935 ecr 940387564,nop,nop,sack 1 {4105:5242}], length 0

And here are the parameters I am passing to openconnect :

--no-dtls
--disable-ipv6
--no-cert-check
--passwd-on-stdin

Many thanks in advance,

-Mark

More information about the openconnect-devel mailing list