[Openswan Users] Cannot ping the vpn gateway
suf at freemail.hu
Tue Jul 12 16:21:49 CEST 2005
Anybody has any idea on solving this problem?
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Gömöri Zoltán
> Sent: Friday, July 08, 2005 9:52 AM
> To: users at openswan.org
> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> That is true, but if I can't ping the gateway it cause deeper
> I checked the logs (actually I generated packet logs with
> iptables rules),
> and found that
> any packet initated on the vpn gateway's local interface and
> has target
> address in the local
> subnet hading to the wrong direction.
> This packets ar going out on the internet interface instead
> of the local
> 1. If I have any service listening on the local interface
> will be unusable
> from the local subnet.
> 2. This behaviour brakes the PMTU discovery mechanism. In
> detail a machine
> on the local subnet
> send an 1500 byte length packet thru the gateway, with the DF
> bit set. The
> packet can't fit into
> the IPSEC tunnel (max MTU 1444 Byte). In the normal behaviour
> the gateway
> send back an ICMP
> type 3 code 4 packet telling to the originator, to lower the
> packet size.
> The originator
> resend a lower size packet or the original packet with DF bit clear.
> In our case unfortunatelly the ICMP packet menitoned above
> goes out on the
> internet interface
> and therefore the originator never gets it, therefore it will try to
> continue sending 1500 Byte
> packets until it gives up.
> >From what I've heard about this issue I have to establish an
> connection, but I've no clue
> what need to be in it.
> > -----Original Message-----
> > From: temmink [mailto:temmink at vrisned.com]
> > Sent: Friday, July 08, 2005 8:28 AM
> > To: 'Gömöri Zoltán'
> > Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> > Hi,
> > You cannot ping the vpn gateway, but you can ping the systems
> > behind the
> > gateway.
> > So actually you can ping through the vpn-machine itself.
> > M. Temmink
> > www.vrisned.com
> > -----Oorspronkelijk bericht-----
> > Van: users-bounces at openswan.org
> > [mailto:users-bounces at openswan.org] Namens
> > Gömöri Zoltán
> > Verzonden: vrijdag 8 juli 2005 7:36
> > Aan: users at openswan.org
> > Onderwerp: [Openswan Users] Cannot ping the vpn gateway
> > Hi,
> > I'm using OpenS/WAN 2.3.1 and kernel 126.96.36.199 with native IPSEC
> > I've the following setting in the ipsec.conf:
> > include /etc/ipsec.d/examples/no_oe.conf
> > conn Test
> > left=a.b.c.d
> > leftsubnet=10.0.0.0/8
> > email@example.com
> > leftrsasigkey=XXXXXXXXXXXXXXXXXXX
> > leftnexthop=e.f.g.h
> > right=i.j.k.l
> > rightsubnet=10.15.14.0/24
> > firstname.lastname@example.org
> > rightrsasigkey=YYYYYYYYYYYYYYYYYYY
> > rightnexthop=m.n.o.p
> > auto=add
> > >From the point when I establish the Test connection I'm
> not able to
> > >ping the
> > right vpn gateway's internal ip (10.15.14.1) from the right
> > local subnet.
> > Can anybody tell me, how can I solve this?
> > thank you
> > Zoltan
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> Users mailing list
> Users at openswan.org
More information about the Users