ipsec tunnel not forwarding incoming packets in OpenSUSE 12.3


I have set up an IPsec tunnel (native ipsec stack) between two opensuse gateways. One of them is 12.1, the other 12.3. The setup looks like this:

net1 — gateway12.1 ---- encrypted network — gateway12.3 — net2

Their respective racoon daemons successfully negotiate SAs, and packets are successfully routed, at least partially. ICMP echo requests packets from net2 to a host on net1 trigger SA negotiation, are encrypted, sent to gateway12.1, decrypted, delivered to the host on net one. The responses are also encrypted by gateway12.1, transported to gateway12.3, decrypted, but there they seem to get lost completely, they are never delivered to the originating host. Similarly, ICMP echo requests from net1 are successfully encapsulated for the tunnel, and decrypted on gateway12.3, they can be seen using tcpdump, but they never leave gateway12.3 and are not delivered to the target host on net2.

  • no messages in logs
  • ip forwarding is active
  • no firewalling
  • target host is reachable (no ARP / routing problem)

Using the same configuration with 12.1 seems to work. What am I missing, what has changed in 12.3?

I forgot to mention:

  • pinging the interface of gateway12.3 connected to net2 works fine, which proves that the tunnel works ok.
  • pinging the target host on net2 from gateway12.3 directly works, which proves that net2 and the hosts attached to it work.

Thus the problem really is that packets received from the tunnel are not forward to net2, although forwarding is turned on. How can this be fixed?