[Openswan Users] Half-Open tunnel ?

nils toedtmann openswan-users at nils.toedtmann.net
Tue Oct 5 19:29:40 CEST 2004


On Tue, Oct 05, 2004 at 03:12:46PM +0200, O-Zone wrote:
[...]
> [MyNET 10.0.0.0/24]----[GW]====(VPN)=====[GW]---[OtherNET 10.0.2.0/24]
> 
> If, from OtherNET, i ping a machine in MyNET all work well. If, from MyNet, 
> ping an host inside OtherNET, it don't work.
[...]
> Some tests with TCPDUMP, if i ping from 10.0.0.9 to 10.0.2.200 (both alive):
> [On MyNET's GW]
> root at bastion:~# tcpdump -i ipsec0 dst 10.0.2.200
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ipsec0, link-type EN10MB (Ethernet), capture size 68 bytes
> 15:01:52.085904 IP GW > 10.0.2.200: icmp 64: echo request seq 838
> 15:01:53.085738 IP GW > 10.0.2.200: icmp 64: echo request seq 839
> 15:01:54.085595 IP GW > 10.0.2.200: icmp 64: echo request seq 840
[...]

Why is the source-ip "GW" and not "10.0.0.9"? If you mean the exterior
ip of GW: is there a masquerading/SNAT on GW's ipsec0 device (view
with "iptables -t nat -nvL POSTROUTING")? Or is 10.0.0.9 the internal ip
of MyNET's GW? If so: did you ping with "-I 10.0.0.9"?


> [On OtherNET's GW]
> ...nothing...

Debug further: kill all traffic in the tunnel such that your test ping 
is the only traffic in that tunnel. tcpdump on the exterior ethX of
the gateways: Does MyNET's GW send ESP-encapsulated echo-requests? Do 
they arrive at OtherNET's GW?


/nils.

-- 
there is no sig.


More information about the Users mailing list