[Openswan Users] IPSec SA established, but cant ping
nightofdarkness at hotmail.com
Thu Dec 9 16:17:48 CET 2004
I'm currently having a problem, and I'm hoping someone on this list can
provide a solution.
The situation is this: I want to set up a VPN between a Windows XP
(original) box and my Suse 9.1 box (kernel 2.6.5), running openswan 2.2.0.
The trick is, my Suse box is sitting behind a broadband router, so there is
So it looks like this:
Suse box ---- NAT/router ---- Internet ---- Windows box
IPs are as follows:
Suse box: 192.168.2.28
NAT private side: 192.168.2.1
NAT public side: 220.127.116.11 (assigned by DHCP, in practice remains
Windows Box: 18.104.22.168 (assigned by DHCP, in practice remains static)
After much research through Google, this mailing list and others, I managed
to get the IPSec SA established (previous to this, I had problems doing
this, getting error messages such as no connection found etc).
At one point, I was able to ping the Suse box from the windows box
sucessfully, however, I changed a setting and upon changing it back the ping
ceased to work. From the windows box, when I ping 192.168.2.28, I get:
Negotiating IP Security
Request timed out
Request timed out
Request timed out
If I use the -t option with ping, I just get Request timed out repeated
continuously. I will at this point mention that the windows box has a norton
personal firewall installed on it, and the first time I tried pinging, it
complained of an invalid ICMP type, however upon disabling the firewall, it
is still not working.
I also want to mention that on the windows box, I set IPSec up using IP
Security Policies snap-in on MMC. To begin with, I had it set on the default
settings, which tunnel every protocol. As this caused problems with SSH (its
unproductive to have to run between 2 pcs to check the log files, so I
prefer to use SSH), I set it up to only tunnel ICMP messages. The ping
time-out problem is evident in both setups.
I had thought that maybe my router was causing problems. I had already set
it to forward UDP ports 500 and 4500, as well as tcp port 22, so i decided
to put my Suse box into the DMZ, thereby causing all traffic to be forwarded
to it. Its worth noting that my router has no options or documentation with
reference to IPSec, and it seems that the only traffic directed at the
public IP of my router that I can identify which does not get forwarded to
the Suse box in the DMZ are http requests on Port 88 (admin interface for
the router) and ping requests. However, this still did not cure the problem.
Running tcpdump on the suse box shows me activity on udp port 500 (as far as
i can tell its the IKE stuff and setting up of the IPSec SA). However,
there appears to be no activity on IP protocol 50, or udp port 4500.
If needs be, I'll email my ipsec.conf file, the contents of
/var/logs/secure, output of ipsec barf, screenshots of the windows or
anything else. I'm on the virge of pulling my hair out on this.
To make matters worse, I cant install the IPSec update for Windows, as the
Windows box isn't even running SP1, and its owner does not want to update as
they fear it may cause them problems. Additionally, the cannot find their
Windows CD, and so I cannot install the Windows Support Tools. I've
attempted to download them from the MS website, however they appear to be
SP2 specific when it comes to the IPSec stuff, as I just get an error saying
"Ordinal 79 could not be found in IPSEC.DLL" when I try to run ipseccmd.exe,
and unfortunately netdiag /test:ipsec /v or /debug provides the same output
as the plain netdiag command, providing very limited IPSec information.
I really hope someone can help me out with a suggestion here.
Thanks in advance,
More information about the Users