<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Rodrigo , <br> Your tcpdump indicates that traffic is going out through the tunnel. Could your Juniper guys look at the counters for encrypt/decrypt of this vpn tunnel. If their counters are incrementing and they don't see the payload then its being dropped at Juniper and not forwarded to the inside network. At the very least they should see traffic from your vpn concentrator hit their interface ( phase 1 and phase 2 )<br><br><span style="font-family: Tahoma,Helvetica,Sans-Serif; font-style: italic; font-weight: bold;">-<span style="font-family: Times New Roman,Times,Serif;"> Simon Charles - </span></span><br><br><br><br><br>> From: rodrigomf@bl.com.mx<br>> Date: Thu, 25 Nov 2010 12:48:37 -0600<br>> To: paul@xelerance.com; wgillespie+openswan@es2eng.com<br>> CC: users@openswan.org<br>> Subject: Re: [Openswan Users] Tunnel up,        can't ping!! Help is much appreciated!!<br>> <br>> Paul, Willie,<br>> <br>> Thans A LOT for your responses.<br>> <br>> I still cannot get pings through but there are more clues...<br>> <br>> 1.- I tried adding forceencaps=yes to the conn part of my ipsec.conf with no results.<br>> <br>> 2.- When I ping the zzz.zzz.zzz.3 box (private lan) from my CentOs box (xxx.xxx.xxx.1) I see this type of packages when doing a TCP dump:<br>> <br>> -------------<br>> 12:37:21.458338 IP xxx.xxx.xxx.1 > yyy.yyy.yyy.2: ESP(spi=0xca766790,seq=0x32), length 116<br>> -------------<br>> <br>> <br>> I think this means some packets are getting out from my CentOs Box to their Juniper router, right?<br>> <br>> <br>> <br>> 3.- When I stop iptables (service iptables stop) I get this when doing "iptables -L"<br>> <br>> # iptables -L<br>> <br>> Chain INPUT (policy ACCEPT)<br>> target prot opt source destination <br>> <br>> Chain FORWARD (policy ACCEPT)<br>> target prot opt source destination <br>> <br>> Chain OUTPUT (policy ACCEPT)<br>> target prot opt source destination <br>> <br>> I think it means there's no block from my part, right?<br>> <br>> Any further help is GREATLY appreciated.<br>> <br>> Thank you again!<br>> Rodrigo<br>> <br>> <br>> El 23/11/2010, a las 14:51, Paul Wouters escribió:<br>> <br>> > On Tue, 23 Nov 2010, "Ing. Rodrigo Méndez" wrote:<br>> > <br>> >> This is the result from ipsec verify:<br>> > <br>> > Looks good.<br>> > <br>> >> The people from the Juniper VPN concentrator say they don't see any traffic coming from our IPs, so it would seem there's no traffic coming out from Box 1<br>> >> (CentOS box). The strange thing is it doesn't work even if iptables is disabled (so no blocking is apparently occurring, or at least it isn't the main<br>> >> problem).<br>> >> My best guess now is that I'm having a routing problem. <br>> > <br>> > I don't think so...<br>> > <br>> >> Any ideas on how to tell Linux to route the packages going to zzz.zzz.zzz.3 through the tunnel?? (I'm using netkey, not KLIPS)<br>> > <br>> > manual routing should not be used. netlink will snatch the packets.<br>> > <br>> >> I can't find any route to yyy.yyy.yyy.2 or zzz.zzz.zzz.3 (the box in the private lan) anywhere in the routing table. I'm not sure if this is OK.<br>> > <br>> > that's fine.<br>> > <br>> > It seems you have one interface online. Are you behind a port forward? Is your upstream<br>> > router filtering packets?<br>> > <br>> > Try adding forceencaps=yes ?<br>> > <br>> > <br>> > Paul<br>> > <br>> <br>> _______________________________________________<br>> Users@openswan.org<br>> http://lists.openswan.org/mailman/listinfo/users<br>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>> Building and Integrating Virtual Private Networks with Openswan: <br>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br>                                            </body>
</html>