[Openswan Users] ping works but others applications don't

Glover George dcunited at gmail.com
Tue Jan 25 12:43:41 CET 2005


Hi, I get the same problem as well, but most people write it off ass
mtu problems.  I have exactly the same symptons, just on fedora core
3.  There must be some step missing from the documentation that
everyone else "knows" about.  When you perform the ping and it comes
back, but nothing else does, ....do you see "any" replies coming back
to the machine on the original subnet?  Although nothing other than
ping works for me, i do see some packet replies (with tcpdump on the
original sending machine) come all the way back, but can't figure out
why the applications aren't seeing it.


On Tue, 25 Jan 2005 15:57:23 -0200, Paulo Ricardo Bruck
<pauloric at contato.com.br> wrote:
> Hi guys
> 
> I 'm using debian sarge + openswan-2.2.0-4 + kernel2.6.8-1 + iptables on
> both sides.
> 
> Finaly I start openswan to connect w/ another openSwan.
> I can ping from my desktop to another one at other side , but only ping
> works.I 've already insert overridemtu=1400 but not affected and ping -s
> 30000 works.
> 
> Can anybody gave me a hint?
> 
> thanks in advanced
> 
> -------------------------------------------------
> lorien:~# ipsec auto --verbose --up contato-bino
> 002 "contato-bino" #5: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS
> +TUNNEL+PFS+UP {using isakmp#3}
> 112 "contato-bino" #5: STATE_QUICK_I1: initiate
> 002 "contato-bino" #5: Dead Peer Detection (RFC 3706) enabled
> 002 "contato-bino" #5: transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> 002 "contato-bino" #5: sent QI2, IPsec SA established {ESP=>0xd3f08a5d
> <0x77f0b5e0 IPCOMP=>0x0000eb7c <0x0000aac1}
> 004 "contato-bino" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0xd3f08a5d <0x77f0b5e0 IPCOMP=>0x0000eb7c <0x0000aac1}
> -------------------------------------------------------------
> pauloric at pauloric:~$ ip a  l
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:0e:a6:a6:e8:6b brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.11/24 brd 192.168.0.255 scope global eth0
>     inet6 fe80::20e:a6ff:fea6:e86b/64 scope link
>        valid_lft forever preferred_lft forever
> 3: sit0: <NOARP> mtu 1480 qdisc noop
>     link/sit 0.0.0.0 brd 0.0.0.0
> ------------------------------------------------------------
> pauloric at pauloric:~$ ping 192.168.1.7
> PING 192.168.1.7 (192.168.1.7) 56(84) bytes of data.
> 64 bytes from 192.168.1.7: icmp_seq=1 ttl=62 time=45.7 ms
> 64 bytes from 192.168.1.7: icmp_seq=2 ttl=62 time=44.6 ms
> -------------------------------------------------------------
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>         klipsdebug=all
>         plutodebug="control parsing"
>         nat_traversal=yes
>         overridemtu= 1400
> # Add connections here
> 
> # sample VPN connection
> conn contato-bino
>         left=200.207.125.xx
>         leftsubnet=192.168.0.0/24
>         leftnexthop=%defaultroute
> 
> leftrsasigkey=0sAQPctZm/aeoxFDDzdzuvx0GtTTjvf04d35DuiXcclGYgH842dBdfHM4YUk
> kRsUzdIiTpLEU+fmM29evmH3ofin3ODJHo1iUev0Z/vsY3gxdacBbGW/6jEZYFLlsXmM
> +PkIedDLFW8HTG
> UUkLFMtq6O5Qmz8mJKEm2AvFdYMcju3+CQ==
>         right=200.168.52.xx
>         rightsubnet=192.168.1.0/24
>         rightnexthop=%defaultroute
>         rightrsasigkey=0sAQN2IhzMU0VPZiEuJ+8JPruCXwN9mGkeLsLOnEfbZ9R
> +nn4FJHaY+al+D
> mmI9hGj3ylgXzvRmOXZAvZKo9jJ66i1Ea5WVNtoI/C/xdygM23gpja4WnXshkk9j758uQM4qS9iuV7rno3
> ezezqFIvKrpvAFD/0h2pB2PqUSGIUM6+F8w==
>         auto=add
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=hold
>         compress=yes
> ----------------------------------------------------------------
> lorien:~# iptables -nL FORWARD
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED
> ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0
> 
> --
> Paulo Ricardo Bruck - consultor
> Contato Global Solutions
> tel 011 5031-4932  fone/fax 011 5034-1732  cel 011 9235-4327
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 


-- 
We are all sufferers from history, but the paranoid is a double
sufferer, since he is afflicted not only by the real world, with the
rest of us, but by his fantasies as well.


More information about the Users mailing list