<font face="arial,helvetica,sans-serif">Hi Guys,<br clear="all"></font><div><br></div><div>Anyone with any help. My issues are still not solved. </div><div>Currently, I am trying to set the GRE+IPsec tunnel but again with no success.</div>
<div>The GRE tunnel is ok. Its checked and route works when IPsec is off and GRE tunnel is active.</div><div>But again routing fails when both GRE and IPsec is active.</div><div><br></div><div>Willie, I have nothing in the INPUT / FORWARD chain of iptables on the server. Any suggestion what I might need to add.</div>
<div><br></div><div>Help me guys, I am clutching straws here. Should I abandon this project, "Linux IPsec VPN with Cisco Router" ?</div><div><br></div><div>cheers // Imtiaz Rahi<br>
<br><br><div class="gmail_quote">On Mon, Aug 1, 2011 at 8:42 PM, Willie Gillespie <span dir="ltr"><<a href="mailto:wgillespie%2Bopenswan@es2eng.com">wgillespie+openswan@es2eng.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Dunno about your second question, I've never messed with ip xfrm.<br>
<br>
There are kind of two parts to most firewalls. One, what they accept directly (in iptables terms that's the INPUT chain) and what they send along to other machines (the FORWARD chain).<br>
<br>
Obviously since the tunnel is up they have the INPUT portion defined correctly. It may just not be set to allow packets to properly be forwarded.<br><font color="#888888">
<br>
Willie</font><div><div></div><div class="h5"><br>
<br>
On 07/30/2011 03:01 AM, Imtiaz Rahi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I don't think its not the other side's firewall. If they have firewall<br>
blocking our side, should we be able to establish the VPN ?<br>
Also, as part of VPN setup the router on the other side add specific<br>
routes for us. Will still check with other side to ensure that no<br>
firewall is blocking me.<br>
<br>
any other thoughts or ideas ?<br>
Also, I need to understand "ip xfdr" but only thing I got is "ip"<br>
manual. Any other documentation to get better understanding to debug<br>
the issues here. Please refer me to good doc.<br>
<br>
thanks // Imtiaz Rahi<br>
<br>
<br>
On Thu, Jul 28, 2011 at 2:28 AM, Willie Gillespie<br>
<<a href="mailto:wgillespie%2Bopenswan@es2eng.com" target="_blank">wgillespie+openswan@es2eng.<u></u>com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If they can ping you and you can't ping them, chances are that it's the<br>
firewall on their side. Obviously you would not be blocking yourself.<br>
<br>
On 7/27/2011 4:01 AM, Imtiaz Rahi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Thanks, for answering Willie.<br>
Tunnel is definitely up and the otherside (router) can ping us but we<br>
can't.<br>
My iptables is empty, only 1 nat rule (MASQ) for private IP.<br>
<br>
Just today learned that IPsec (netkey) add things in "ip xfrm". But I<br>
have no knowledge about XFRM farmework.<br>
Here are the XFRM outputs:<br>
<br>
sudo ip xfrm state<br>
src 203.112.xxx.xx dst 210.4.xx.xxx<br>
proto esp spi 0x6e7ff7ae reqid 16385 mode tunnel<br>
replay-window 32<br>
auth hmac(md5) 0x6ec07b7259a38c05ae759cb5d1de<u></u>996a<br>
enc cbc(des3_ede)<br>
0x3fe779cd9ddb27eabe7d84a12f9f<u></u>2af8918cc6e94f27fcac<br>
sel src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
src 210.4.xx.xxx dst 203.112.xxx.xx<br>
proto esp spi 0x1c50e944 reqid 16385 mode tunnel<br>
replay-window 32<br>
auth hmac(md5) 0x866f8931c93ad884eba2bea0471b<u></u>5222<br>
enc cbc(des3_ede)<br>
0x8e2ecaece87a81612e2a7efb7e64<u></u>949f739d35810165b827<br>
sel src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
sudo ip xfrm policy<br>
src <a href="http://172.19.253.0/29" target="_blank">172.19.253.0/29</a> dst <a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a><br>
dir out priority 2184<br>
tmpl src 210.4.xx.xxx dst 203.112.xxx.xx<br>
proto esp reqid 16385 mode tunnel<br>
src <a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a> dst <a href="http://172.19.253.0/29" target="_blank">172.19.253.0/29</a><br>
dir fwd priority 2184<br>
tmpl src 203.112.xxx.xx dst 210.4.xx.xxx<br>
proto esp reqid 16385 mode tunnel<br>
src <a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a> dst <a href="http://172.19.253.0/29" target="_blank">172.19.253.0/29</a><br>
dir in priority 2184<br>
tmpl src 203.112.xxx.xx dst 210.4.xx.xxx<br>
proto esp reqid 16385 mode tunnel<br>
src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
dir 4 priority 0<br>
.......................... (lots)<br>
<br>
cheers // Imtiaz Rahi<br>
<br>
<br>
On Wed, Jul 27, 2011 at 3:19 PM, Willie Gillespie<br>
<<a href="mailto:wgillespie%2Bopenswan@es2eng.com" target="_blank">wgillespie+openswan@es2eng.<u></u>com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If the tunnel is up, it could be a firewall issue.<br>
Can you test with iptables off? And try pinging from both sides?<br>
<br>
On 7/27/2011 2:50 AM, Imtiaz Rahi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Anyone please respond and help me.<br>
<br>
cheers // Imtiaz Rahi<br>
<br>
<br>
On Mon, Jul 25, 2011 at 7:19 PM, Imtiaz Rahi<<a href="mailto:imtiaz.rahi@gmail.com" target="_blank">imtiaz.rahi@gmail.com</a>><br>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Hi People,<br>
<br>
I am a first timer with IPsec VPN and Openswan.<br>
I am setting up an IPsec VPN from a Linux box to Cisco router.<br>
Linux: Ubuntu 10.04 LTS Openswan U2.6.23/K2.6.32-30-server (netkey)<br>
Cisco: Cisco 2821<br>
<br>
Here is the IPsec network diagram<br>
<a href="http://172.19.253.0/29" target="_blank">172.19.253.0/29</a> === 210.4.xx.xxx --- 210.4.xx.xxx ... 203.112.xxx.xx<br>
--- 203.112.xxx.xx === <a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a>;<br>
Linux VPN box<br>
Cisco router<br>
<br>
<br>
"ipsec status" says my tunnel is up and some eroutes exist. But I can<br>
not reach the destination network.<br>
I am trying to ping 10.1.4.8 like below and unsuccessful;<br>
<br>
ping 10.1.4.8 -I 172.19.253.1<br>
PING 10.1.4.8 (10.1.4.8) from 172.19.253.1 : 56(84) bytes of data.<br>
<br>
^C<br>
--- 10.1.4.8 ping statistics ---<br>
14 packets transmitted, 0 received, 100% packet loss, time 13007ms<br>
<br>
Please help me here.<br>
<br>
Cheers // Imtiaz Rahi<br>
<br>
<br>
P.S. Here is the ipsec.conf for reference<br>
<br>
==============================<u></u>====================<br>
version 2.0<br>
<br>
config setup<br>
nat_traversal=yes<br>
<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/<u></u>8,%v4:192.168.0.0/16,%v4:172.<u></u>16.0.0/12</a><br>
oe=off<br>
protostack=netkey<br>
interfaces=%defaultroute<br>
<br>
conn teletalk-vpn<br>
type=tunnel<br>
authby=secret<br>
left=210.4.xx.xxx<br>
leftnexthop=210.4.xx.xxx<br>
leftsubnet=<a href="http://172.19.253.1/29" target="_blank">172.19.253.1/29</a><br>
leftupdown=/usr/lib/ipsec/_<u></u>updown<br>
right=203.112.xxx.xx # Cisco 2821<br>
rightnexthop=203.112.xxx.xx<br>
rightsubnet=<a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a><br>
keyexchange=ike<br>
keylife=1h<br>
ike=3des-md5-modp1024<br>
phase2alg=3des-md5<br>
pfs=no<br>
auto=start<br>
</blockquote></blockquote></blockquote></blockquote>
<br>
</blockquote></blockquote>
</div></div></blockquote></div><br></div>