Conntrack dst= IP Address in /proc/net/conntrack wrong

Conntrack dst= IP Address in /proc/net/conntrack wrong

[Oliver Jehle]

2 networks connected with IPSEC / both Linux 2.6.9

neta  - gwa - ipsec tunnel - gwb - netb

neta 192.168.1.0
gwa 192.168.1.254

netb 192.168.2.0
gwb 192.168.2.254

when i open an ssh session from neta to netb it works and the conntrack
entry looks correct like this on gwb:

tcp      6 431015 ESTABLISHED src=192.168.2.2 dst=192.168.1.100
sport=33121 dport=22 packets=347 bytes=27765 src=192.168.1.100
dst=192.168.2.2 sport=22 dport=33121 packets=225 bytes=43197 [ASSURED]
use=1

but when i try from netb to neta, then the entry looks like this on gwb:

tcp      6 118 SYN_SENT src=192.168.1.100 dst=192.168.2.2 sport=54803
dport=22 packets=1 bytes=60 [UNREPLIED] src=192.168.2.2 dst=192.168.1.1
sport=22 dport=54803 packets=0 bytes=0 use=1

the dst= ipaddress has the address of the ipsec gateway instead of the
correct host address.

I've no nat rules for the connection.

Is this a known effect ? 

Conntrack dst= IP Address in /proc/net/conntrack wrong

[Oliver Jehle]

I've a strange effect.

if 2 networks connected with IPSEC / Linux 2.6.9

neta  - gwa - ipsec tunnel - gwb - netb

neta 192.168.1.0
gwa 192.168.1.254

netb 192.168.2.0
gwb 192.168.2.254

when i open an ssh session from neta to netb it works and the conntrack
entry looks like this on gwb:

tcp      6 431015 ESTABLISHED src=192.168.2.2 dst=192.168.1.100
sport=33121 dport=22 packets=347 bytes=27765 src=192.168.1.100
dst=192.168.2.2 sport=22 dport=33121 packets=225 bytes=43197 [ASSURED]
use=1


but when i try from netb to neta, then the entry looks like this on gwb:

tcp      6 118 SYN_SENT src=192.168.1.100 dst=192.168.2.2 sport=54803
dport=22 packets=1 bytes=60 [UNREPLIED] src=192.168.2.2 dst=192.168.1.1
sport=22 dport=54803 packets=0 bytes=0 use=1

the dst= ipadress has the adress of the ipsec gateway instead of the
correct address.

I've no nat rules for the connection.

Is this a known effect ?