[Openswan Users] ping works but others applications don't

Tue Jan 25 15:57:23 CET 2005

Hi guys

I 'm using debian sarge + openswan-2.2.0-4 + kernel2.6.8-1 + iptables on
both sides.

Finaly I start openswan to connect w/ another openSwan.
I can ping from my desktop to another one at other side , but only ping
works.I 've already insert overridemtu=1400 but not affected and ping -s
30000 works.

Can anybody gave me a hint?

thanks in advanced

-------------------------------------------------
lorien:~# ipsec auto --verbose --up contato-bino
002 "contato-bino" #5: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS
+TUNNEL+PFS+UP {using isakmp#3}
112 "contato-bino" #5: STATE_QUICK_I1: initiate
002 "contato-bino" #5: Dead Peer Detection (RFC 3706) enabled
002 "contato-bino" #5: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
002 "contato-bino" #5: sent QI2, IPsec SA established {ESP=>0xd3f08a5d
<0x77f0b5e0 IPCOMP=>0x0000eb7c <0x0000aac1}
004 "contato-bino" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xd3f08a5d <0x77f0b5e0 IPCOMP=>0x0000eb7c <0x0000aac1}
-------------------------------------------------------------
pauloric at pauloric:~$ ip a  l
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:a6:a6:e8:6b brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.11/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::20e:a6ff:fea6:e86b/64 scope link
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
------------------------------------------------------------
pauloric at pauloric:~$ ping 192.168.1.7
PING 192.168.1.7 (192.168.1.7) 56(84) bytes of data.
64 bytes from 192.168.1.7: icmp_seq=1 ttl=62 time=45.7 ms
64 bytes from 192.168.1.7: icmp_seq=2 ttl=62 time=44.6 ms
-------------------------------------------------------------
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        klipsdebug=all
        plutodebug="control parsing"
        nat_traversal=yes
        overridemtu= 1400
# Add connections here

# sample VPN connection
conn contato-bino
        left=200.207.125.xx
        leftsubnet=192.168.0.0/24
        leftnexthop=%defaultroute

leftrsasigkey=0sAQPctZm/aeoxFDDzdzuvx0GtTTjvf04d35DuiXcclGYgH842dBdfHM4YUk
kRsUzdIiTpLEU+fmM29evmH3ofin3ODJHo1iUev0Z/vsY3gxdacBbGW/6jEZYFLlsXmM
+PkIedDLFW8HTG
UUkLFMtq6O5Qmz8mJKEm2AvFdYMcju3+CQ==
        right=200.168.52.xx
        rightsubnet=192.168.1.0/24
        rightnexthop=%defaultroute
        rightrsasigkey=0sAQN2IhzMU0VPZiEuJ+8JPruCXwN9mGkeLsLOnEfbZ9R
+nn4FJHaY+al+D
mmI9hGj3ylgXzvRmOXZAvZKo9jJ66i1Ea5WVNtoI/C/xdygM23gpja4WnXshkk9j758uQM4qS9iuV7rno3
ezezqFIvKrpvAFD/0h2pB2PqUSGIUM6+F8w==
        auto=add
	dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        compress=yes
----------------------------------------------------------------
lorien:~# iptables -nL FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0

-- 
Paulo Ricardo Bruck - consultor
Contato Global Solutions
tel 011 5031-4932  fone/fax 011 5034-1732  cel 011 9235-4327