Hello,
i have a Site-2-Site IPsec Tunnel and would like to provide access to a internal web server via HA Proxy.
I have set up a rule now:
Interface: IPSec
DST: 192.168.150.68:443
Redirect to: 127.0.0.1:8080
On 127.0.0.1:8080 i have my HA proxy running.
The NAT Rule automatically created the matching IPSec Firewall rule.
When i look at the traffic with:
tcpdump -i enc0 -n host 192.168.150.68
it seems "stuck":
10:58:44.631140 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50861 > 192.168.150.68.443: Flags [S], seq 2307507940, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.382705 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50860 > 192.168.150.68.443: Flags [S], seq 2952205237, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.382737 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50859 > 192.168.150.68.443: Flags [S], seq 209436792, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:58:52.648383 (authentic,confidential): SPI 0xc7352ac4: IP 172.25.11.44.50861 > 192.168.150.68.443: Flags [S], seq 2307507940, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
i cant see any blocks, too:
grep 192.168.150.68 /var/log/filter/latest.log | grep block
If i set up that NAT rule on another interface, it seems to work.
Any hints?