[Openswan Users] Cannot ping the vpn gateway

Gömöri Zoltán suf at freemail.hu
Tue Jul 12 16:21:49 CEST 2005 

Hi,

Anybody has any idea on solving this problem?

Zoltan  

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Gömöri Zoltán
> Sent: Friday, July 08, 2005 9:52 AM
> To: users at openswan.org
> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> 
> Hi,
> 
> That is true, but if I can't ping the gateway it cause deeper 
> problems.
> I checked the logs (actually I generated packet logs with 
> iptables rules),
> and found that
> any packet initated on the vpn gateway's local interface and 
> has target
> address in the local
> subnet hading to the wrong direction.
> This packets ar going out on the internet interface instead 
> of the local
> one.
> So:
> 1. If I have any service listening on the local interface 
> will be unusable
> from the local subnet.
> 2. This behaviour brakes the PMTU discovery mechanism. In 
> detail a machine
> on the local subnet
> send an 1500 byte length packet thru the gateway, with the DF 
> bit set. The
> packet can't fit into
> the IPSEC tunnel (max MTU 1444 Byte). In the normal behaviour 
> the gateway
> send back an ICMP
> type 3 code 4 packet telling to the originator, to lower the 
> packet size.
> The originator
> resend a lower size packet or the original packet with DF bit clear.
> In our case unfortunatelly the ICMP packet menitoned above 
> goes out on the
> internet interface
> and therefore the originator never gets it, therefore it will try to
> continue sending 1500 Byte
> packets until it gives up.
> 
> >From what I've heard about this issue I have to establish an 
> additional
> connection, but I've no clue
> what need to be in it.
> 
> Zoltan
> 
> > -----Original Message-----
> > From: temmink [mailto:temmink at vrisned.com] 
> > Sent: Friday, July 08, 2005 8:28 AM
> > To: 'Gömöri Zoltán'
> > Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> > 
> > Hi,
> > 
> > You cannot ping the vpn gateway, but you can ping the systems 
> > behind the
> > gateway.
> > So actually you can ping through the vpn-machine itself.
> > 
> > M. Temmink
> > www.vrisned.com
> > 
> >   
> > 
> > -----Oorspronkelijk bericht-----
> > Van: users-bounces at openswan.org 
> > [mailto:users-bounces at openswan.org] Namens
> > Gömöri Zoltán
> > Verzonden: vrijdag 8 juli 2005 7:36
> > Aan: users at openswan.org
> > Onderwerp: [Openswan Users] Cannot ping the vpn gateway
> > 
> > Hi,
> >  
> > I'm using OpenS/WAN 2.3.1 and kernel 2.6.12.2 with native IPSEC
> >  
> > I've the following setting in the ipsec.conf:
> > 
> > include /etc/ipsec.d/examples/no_oe.conf
> >  
> > conn Test
> > 	left=a.b.c.d
> > 	leftsubnet=10.0.0.0/8
> > 	leftid=@test.left
> > 	leftrsasigkey=XXXXXXXXXXXXXXXXXXX
> > 	leftnexthop=e.f.g.h
> > 	right=i.j.k.l
> > 	rightsubnet=10.15.14.0/24
> > 	rightid=@test.right
> > 	rightrsasigkey=YYYYYYYYYYYYYYYYYYY
> > 	rightnexthop=m.n.o.p
> > 	auto=add
> >     
> > >From the point when I establish the Test connection I'm 
> not able to 
> > >ping the
> > right vpn gateway's internal ip (10.15.14.1) from the right 
> > local subnet.
> > Can anybody tell me, how can I solve this?
> > 
> > thank you
> > Zoltan
> > 
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > 
> > 
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

More information about the Users mailing list