[Openswan Users] ipsec up, but not always transferring (fwd)

Daniel Fenert daniel at fenert.net
Wed Sep 22 18:04:04 CEST 2004 

W dniu Wed, Sep 22, 2004 at 09:02:57AM -0400, Michael Richardson wystukał(a):
>  Please confirm:
>	 a) you are running 
>		tcpdump -i ipsec0 -n -p

I've always run without '-p' switch, but tried to set up promisc mode with ifconfig,
and it wasn't working, so it's not promisc mode that causes it I think...

>	 b) you are using tcpdump 3.8.3 with libpcap 0.8.3
>	    (becuse some tcpdump's have different flags)

right, # tcpdump -V
tcpdump version 3.8.3
libpcap version 0.8.3

>	 c) you have PF_PACKET support in your kernel.

Hmmm, # grep PACKET /usr/src/linux/.config
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
# CONFIG_NCPFS_PACKET_SIGNING is not set
Does not look like...

>	 d) please run tcpdump on the external interface (eth1, ppp0, watever)
>	    to confirm what the packets are leaving R3, and to determine
>	    if the packets are arriving (or not) at R1.

Strange thing, while pinging from SambaServer to 192.168.3.10, tcpdump on R1
external interface shows:
16:46:03.200021 arp who-has x.x.x.47 tell y.y.y.170
16:46:04.200014 arp who-has x.x.x.47 tell y.y.y.170
16:46:05.202439 arp who-has x.x.x.47 tell y.y.y.170

and when in working state, it looks OK:
16:59:07.062938 IP x.x.x.47 > y.y.y.170: ESP(spi=0x4dbf6f0d,seq=0x2f3)
16:59:07.063391 IP y.y.y.170 > x.x.x.47: ESP(spi=0x8b00cd72,seq=0x400)
16:59:07.137698 IP x.x.x.47 > y.y.y.170: ESP(spi=0x4dbf6f0d,seq=0x2f4)
16:59:07.137975 IP y.y.y.170 > x.x.x.47: ESP(spi=0x8b00cd72,seq=0x401)

>	 e) please do an "ipsec barf" before and after.

These two answers in a few hours.

>	 f) please repeat with and without -p flag.

I've always checked without -p, I'll check with this later.

			R1 routing table:
# ip route ls
y.y.y.168/30 dev eth1  proto kernel  scope link  src y.y.y.170
y.y.y.168/30 dev ipsec0  proto kernel  scope link  src y.y.y.170
192.168.3.0/24 via y.y.y.169 dev ipsec0
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.250
192.168.10.0/24 via 192.168.0.254 dev eth0
127.0.0.0/8 dev lo  scope link
default via y.y.y.169 dev eth1  metric 1

ARPs:
# arp -n
Address                  HWtype  HWaddress           Flags Mask Iface
x.x.x.47                       (incomplete)          eth1
y.y.y.169           ether   00:C0:7B:B1:A7:C1   C    eth1

PS. In working state x.x.x.47 has also incomplete HWaddress but i think that's
ok, because it's not directly connected.



			R3 routing table:
# ip route ls
z.z.z.205 dev ppp0  proto kernel  scope link  src x.x.x.47
z.z.z.205 dev ipsec0  proto kernel  scope link  src x.x.x.47
192.168.3.0/24 dev eth0  proto kernel  scope link  src 192.168.3.1
192.168.0.0/24 via z.z.z.205 dev ipsec0
127.0.0.0/8 dev lo  scope link
default via z.z.z.205 dev ppp0

If its important, this ppp0 is on USB ADSL modem.

# arp -n
Address                  HWtype  HWaddress           Flags Mask Iface
192.168.3.10             ether   00:11:2F:0D:A5:CA   C eth0

-- 
Daniel Fenert                 --==> daniel at fenert.net <==--
==-P o w e r e d--b y--S l a c k w a r e-=-ICQ #37739641-==
Smoking is one of the leading causes of statistics. -- Fletcher Knebel
=======- http://daniel.fenert.net/ -=======< +48604628083 >

More information about the Users mailing list