[Openswan Users] Cannot ping the vpn gateway

Paul Wouters paul at xelerance.com
Tue Jul 12 17:23:27 CEST 2005 

On Tue, 12 Jul 2005, Gömöri Zoltán wrote:

Either add leftsourceip=internalIPofGateway or
build for vpn connections:

net-net (which you have now)
host-net
net-host
host-host

The last three are the same as the first, except they need to
have a different name and they are missing one or both *subnet=
statements.

Paul

> Date: Tue, 12 Jul 2005 15:21:49 +0200
> From: "[iso-8859-2] Gömöri Zoltán" <suf at freemail.hu>
> To: users at openswan.org
> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> 
> Hi,
>
> Anybody has any idea on solving this problem?
>
> Zoltan
>
>> -----Original Message-----
>> From: users-bounces at openswan.org
>> [mailto:users-bounces at openswan.org] On Behalf Of Gömöri Zoltán
>> Sent: Friday, July 08, 2005 9:52 AM
>> To: users at openswan.org
>> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
>>
>> Hi,
>>
>> That is true, but if I can't ping the gateway it cause deeper
>> problems.
>> I checked the logs (actually I generated packet logs with
>> iptables rules),
>> and found that
>> any packet initated on the vpn gateway's local interface and
>> has target
>> address in the local
>> subnet hading to the wrong direction.
>> This packets ar going out on the internet interface instead
>> of the local
>> one.
>> So:
>> 1. If I have any service listening on the local interface
>> will be unusable
>> from the local subnet.
>> 2. This behaviour brakes the PMTU discovery mechanism. In
>> detail a machine
>> on the local subnet
>> send an 1500 byte length packet thru the gateway, with the DF
>> bit set. The
>> packet can't fit into
>> the IPSEC tunnel (max MTU 1444 Byte). In the normal behaviour
>> the gateway
>> send back an ICMP
>> type 3 code 4 packet telling to the originator, to lower the
>> packet size.
>> The originator
>> resend a lower size packet or the original packet with DF bit clear.
>> In our case unfortunatelly the ICMP packet menitoned above
>> goes out on the
>> internet interface
>> and therefore the originator never gets it, therefore it will try to
>> continue sending 1500 Byte
>> packets until it gives up.
>>
>>> From what I've heard about this issue I have to establish an
>> additional
>> connection, but I've no clue
>> what need to be in it.
>>
>> Zoltan
>>
>>> -----Original Message-----
>>> From: temmink [mailto:temmink at vrisned.com]
>>> Sent: Friday, July 08, 2005 8:28 AM
>>> To: 'Gömöri Zoltán'
>>> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
>>>
>>> Hi,
>>>
>>> You cannot ping the vpn gateway, but you can ping the systems
>>> behind the
>>> gateway.
>>> So actually you can ping through the vpn-machine itself.
>>>
>>> M. Temmink
>>> www.vrisned.com
>>>
>>>
>>>
>>> -----Oorspronkelijk bericht-----
>>> Van: users-bounces at openswan.org
>>> [mailto:users-bounces at openswan.org] Namens
>>> Gömöri Zoltán
>>> Verzonden: vrijdag 8 juli 2005 7:36
>>> Aan: users at openswan.org
>>> Onderwerp: [Openswan Users] Cannot ping the vpn gateway
>>>
>>> Hi,
>>>
>>> I'm using OpenS/WAN 2.3.1 and kernel 2.6.12.2 with native IPSEC
>>>
>>> I've the following setting in the ipsec.conf:
>>>
>>> include /etc/ipsec.d/examples/no_oe.conf
>>>
>>> conn Test
>>> 	left=a.b.c.d
>>> 	leftsubnet=10.0.0.0/8
>>> 	leftid=@test.left
>>> 	leftrsasigkey=XXXXXXXXXXXXXXXXXXX
>>> 	leftnexthop=e.f.g.h
>>> 	right=i.j.k.l
>>> 	rightsubnet=10.15.14.0/24
>>> 	rightid=@test.right
>>> 	rightrsasigkey=YYYYYYYYYYYYYYYYYYY
>>> 	rightnexthop=m.n.o.p
>>> 	auto=add
>>>
>>>> From the point when I establish the Test connection I'm
>> not able to
>>>> ping the
>>> right vpn gateway's internal ip (10.15.14.1) from the right
>>> local subnet.
>>> Can anybody tell me, how can I solve this?
>>>
>>> thank you
>>> Zoltan
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

-- 

   "I am not even supposed to be here today!"  -- Clerk

More information about the Users mailing list