[Openswan Users] Half-Open tunnel ?
Paul Wouters
paul at xelerance.com
Tue Oct 5 19:13:34 CEST 2004
On Tue, 5 Oct 2004, O-Zone wrote:
> [On MyNET's GW]
> root at bastion:~# tcpdump -i ipsec0 dst 10.0.2.200
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ipsec0, link-type EN10MB (Ethernet), capture size 68 bytes
> 15:01:52.085904 IP GW > 10.0.2.200: icmp 64: echo request seq 838
> 15:01:53.085738 IP GW > 10.0.2.200: icmp 64: echo request seq 839
> 15:01:54.085595 IP GW > 10.0.2.200: icmp 64: echo request seq 840
>
> [On OtherNET's GW]
> ...nothing...
run tcpdump on the ethernet device and see if ESP packets come in? If so,
the machine is dropping them, either because they're broken (eg NATed) or
because some other firewall rule.
>
> Here's IPTABLES dump on both GW:
> [MyNET's GW]
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- 10.0.2.0/24 localnet/24
> ACCEPT all -- localnet/24 10.0.2.0/24
> Note:localnet=10.0.0.0
>
> [OtherNET's GW]
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- 10.0.0.0/24 localnet/24
> ACCEPT all -- localnet/24 10.0.0.0/24
> Note: localnet=10.0.2.0
You could log and drop and see which rule matches.
Also run 'ipsec verify'
Paul
--
"Non cogitamus, ergo nihil sumus"
More information about the Users
mailing list