[Openswan Users]
can ping to road warrior, cannot ping the other way
Joseph Commisso
commisj at cs.sunyit.edu
Thu Nov 11 23:09:04 CET 2004
Hi,
I have linux 2.4 kernel with openswan 2.2.0 and the tunnel is up!
There are two gateway/firewalls running openswan.
I can ping from behind our static ip to the road warrior fine, but when I
ping from behind the road warrior to a box behind the static ip address,
no go:
# ping -I 192.168.192.1 192.168.3.7
PING 192.168.3.7 (192.168.3.7) from 192.168.192.1 : 56(84) bytes of data.
64 bytes from 192.168.3.7: icmp_seq=1 ttl=127 time=33.8 ms
64 bytes from 192.168.3.7: icmp_seq=2 ttl=127 time=13.3 ms
64 bytes from 192.168.3.7: icmp_seq=3 ttl=127 time=15.9 ms
64 bytes from 192.168.3.7: icmp_seq=4 ttl=127 time=17.7 ms
--- 192.168.3.7 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3032ms
rtt min/avg/max/mdev = 13.322/20.195/33.807/8.015 ms
But, look at the other direction:
# ping -I 192.168.3.1 192.168.192.10
PING 192.168.192.10 (192.168.192.10) from 192.168.3.1 : 56(84) bytes of
data.
--- 192.168.192.10 ping statistics ---
29 packets transmitted, 0 received, 100% packet loss, time 28013ms
Also, here is the output of "ipsec verify":
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path
[OK]
Linux Openswan cvs2002Mar11_19:19:03 (klips)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking tun0x1006 at 24.39.245.142 from 192.168.3.0/24 to 192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 ->
192.168.192.0/24
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: george.tahan.com
[MISSING]
Does the machine have at least one non-private address?
[OK]
Looking for TXT in reverse dns zone: 213.43.58.24.in-addr.arpa.
[MISSING]
The other end of the tunnel gives the same output (it just has a different
ip that it references), but it is the exact same failure.
The ping does work from one end, though.
Any suggestions would be greatly appreciated.
TIA,
Joe Commisso
More information about the Users
mailing list