[Openswan Users] Cannot ping the vpn gateway

Gömöri Zoltán suf at freemail.hu
Fri Jul 8 10:52:12 CEST 2005


Hi,

That is true, but if I can't ping the gateway it cause deeper problems.
I checked the logs (actually I generated packet logs with iptables rules),
and found that
any packet initated on the vpn gateway's local interface and has target
address in the local
subnet hading to the wrong direction.
This packets ar going out on the internet interface instead of the local
one.
So:
1. If I have any service listening on the local interface will be unusable
from the local subnet.
2. This behaviour brakes the PMTU discovery mechanism. In detail a machine
on the local subnet
send an 1500 byte length packet thru the gateway, with the DF bit set. The
packet can't fit into
the IPSEC tunnel (max MTU 1444 Byte). In the normal behaviour the gateway
send back an ICMP
type 3 code 4 packet telling to the originator, to lower the packet size.
The originator
resend a lower size packet or the original packet with DF bit clear.
In our case unfortunatelly the ICMP packet menitoned above goes out on the
internet interface
and therefore the originator never gets it, therefore it will try to
continue sending 1500 Byte
packets until it gives up.

>From what I've heard about this issue I have to establish an additional
connection, but I've no clue
what need to be in it.

Zoltan

> -----Original Message-----
> From: temmink [mailto:temmink at vrisned.com] 
> Sent: Friday, July 08, 2005 8:28 AM
> To: 'Gömöri Zoltán'
> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> 
> Hi,
> 
> You cannot ping the vpn gateway, but you can ping the systems 
> behind the
> gateway.
> So actually you can ping through the vpn-machine itself.
> 
> M. Temmink
> www.vrisned.com
> 
>   
> 
> -----Oorspronkelijk bericht-----
> Van: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] Namens
> Gömöri Zoltán
> Verzonden: vrijdag 8 juli 2005 7:36
> Aan: users at openswan.org
> Onderwerp: [Openswan Users] Cannot ping the vpn gateway
> 
> Hi,
>  
> I'm using OpenS/WAN 2.3.1 and kernel 2.6.12.2 with native IPSEC
>  
> I've the following setting in the ipsec.conf:
> 
> include /etc/ipsec.d/examples/no_oe.conf
>  
> conn Test
> 	left=a.b.c.d
> 	leftsubnet=10.0.0.0/8
> 	leftid=@test.left
> 	leftrsasigkey=XXXXXXXXXXXXXXXXXXX
> 	leftnexthop=e.f.g.h
> 	right=i.j.k.l
> 	rightsubnet=10.15.14.0/24
> 	rightid=@test.right
> 	rightrsasigkey=YYYYYYYYYYYYYYYYYYY
> 	rightnexthop=m.n.o.p
> 	auto=add
>     
> >From the point when I establish the Test connection I'm not able to 
> >ping the
> right vpn gateway's internal ip (10.15.14.1) from the right 
> local subnet.
> Can anybody tell me, how can I solve this?
> 
> thank you
> Zoltan
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
> 



More information about the Users mailing list