[Openswan Users] ipsec up, but not always transferring (fwd)
Daniel Fenert
daniel at fenert.net
Wed Sep 22 18:04:04 CEST 2004
W dniu Wed, Sep 22, 2004 at 09:02:57AM -0400, Michael Richardson wystukał(a):
> Please confirm:
> a) you are running
> tcpdump -i ipsec0 -n -p
I've always run without '-p' switch, but tried to set up promisc mode with ifconfig,
and it wasn't working, so it's not promisc mode that causes it I think...
> b) you are using tcpdump 3.8.3 with libpcap 0.8.3
> (becuse some tcpdump's have different flags)
right, # tcpdump -V
tcpdump version 3.8.3
libpcap version 0.8.3
> c) you have PF_PACKET support in your kernel.
Hmmm, # grep PACKET /usr/src/linux/.config
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
# CONFIG_NCPFS_PACKET_SIGNING is not set
Does not look like...
> d) please run tcpdump on the external interface (eth1, ppp0, watever)
> to confirm what the packets are leaving R3, and to determine
> if the packets are arriving (or not) at R1.
Strange thing, while pinging from SambaServer to 192.168.3.10, tcpdump on R1
external interface shows:
16:46:03.200021 arp who-has x.x.x.47 tell y.y.y.170
16:46:04.200014 arp who-has x.x.x.47 tell y.y.y.170
16:46:05.202439 arp who-has x.x.x.47 tell y.y.y.170
and when in working state, it looks OK:
16:59:07.062938 IP x.x.x.47 > y.y.y.170: ESP(spi=0x4dbf6f0d,seq=0x2f3)
16:59:07.063391 IP y.y.y.170 > x.x.x.47: ESP(spi=0x8b00cd72,seq=0x400)
16:59:07.137698 IP x.x.x.47 > y.y.y.170: ESP(spi=0x4dbf6f0d,seq=0x2f4)
16:59:07.137975 IP y.y.y.170 > x.x.x.47: ESP(spi=0x8b00cd72,seq=0x401)
> e) please do an "ipsec barf" before and after.
These two answers in a few hours.
> f) please repeat with and without -p flag.
I've always checked without -p, I'll check with this later.
R1 routing table:
# ip route ls
y.y.y.168/30 dev eth1 proto kernel scope link src y.y.y.170
y.y.y.168/30 dev ipsec0 proto kernel scope link src y.y.y.170
192.168.3.0/24 via y.y.y.169 dev ipsec0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.250
192.168.10.0/24 via 192.168.0.254 dev eth0
127.0.0.0/8 dev lo scope link
default via y.y.y.169 dev eth1 metric 1
ARPs:
# arp -n
Address HWtype HWaddress Flags Mask Iface
x.x.x.47 (incomplete) eth1
y.y.y.169 ether 00:C0:7B:B1:A7:C1 C eth1
PS. In working state x.x.x.47 has also incomplete HWaddress but i think that's
ok, because it's not directly connected.
R3 routing table:
# ip route ls
z.z.z.205 dev ppp0 proto kernel scope link src x.x.x.47
z.z.z.205 dev ipsec0 proto kernel scope link src x.x.x.47
192.168.3.0/24 dev eth0 proto kernel scope link src 192.168.3.1
192.168.0.0/24 via z.z.z.205 dev ipsec0
127.0.0.0/8 dev lo scope link
default via z.z.z.205 dev ppp0
If its important, this ppp0 is on USB ADSL modem.
# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.3.10 ether 00:11:2F:0D:A5:CA C eth0
--
Daniel Fenert --==> daniel at fenert.net <==--
==-P o w e r e d--b y--S l a c k w a r e-=-ICQ #37739641-==
Smoking is one of the leading causes of statistics. -- Fletcher Knebel
=======- http://daniel.fenert.net/ -=======< +48604628083 >
More information about the Users
mailing list