[Openswan Users] Cannot ping the vpn gateway

Gömöri Zoltán suf at freemail.hu
Thu Jul 14 11:38:14 CEST 2005 

Hi,

I've tried both of the solutions what you mentioned. It looks like none of
them works.

Zoltan

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: Tuesday, July 12, 2005 4:23 PM
> To: Gömöri Zoltán
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> 
> On Tue, 12 Jul 2005, Gömöri Zoltán wrote:
> 
> Either add leftsourceip=internalIPofGateway or
> build for vpn connections:
> 
> net-net (which you have now)
> host-net
> net-host
> host-host
> 
> The last three are the same as the first, except they need to
> have a different name and they are missing one or both *subnet=
> statements.
> 
> Paul
> 
> > Date: Tue, 12 Jul 2005 15:21:49 +0200
> > From: "[iso-8859-2] Gömöri Zoltán" <suf at freemail.hu>
> > To: users at openswan.org
> > Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> > 
> > Hi,
> >
> > Anybody has any idea on solving this problem?
> >
> > Zoltan
> >
> >> -----Original Message-----
> >> From: users-bounces at openswan.org
> >> [mailto:users-bounces at openswan.org] On Behalf Of Gömöri Zoltán
> >> Sent: Friday, July 08, 2005 9:52 AM
> >> To: users at openswan.org
> >> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> >>
> >> Hi,
> >>
> >> That is true, but if I can't ping the gateway it cause deeper
> >> problems.
> >> I checked the logs (actually I generated packet logs with
> >> iptables rules),
> >> and found that
> >> any packet initated on the vpn gateway's local interface and
> >> has target
> >> address in the local
> >> subnet hading to the wrong direction.
> >> This packets ar going out on the internet interface instead
> >> of the local
> >> one.
> >> So:
> >> 1. If I have any service listening on the local interface
> >> will be unusable
> >> from the local subnet.
> >> 2. This behaviour brakes the PMTU discovery mechanism. In
> >> detail a machine
> >> on the local subnet
> >> send an 1500 byte length packet thru the gateway, with the DF
> >> bit set. The
> >> packet can't fit into
> >> the IPSEC tunnel (max MTU 1444 Byte). In the normal behaviour
> >> the gateway
> >> send back an ICMP
> >> type 3 code 4 packet telling to the originator, to lower the
> >> packet size.
> >> The originator
> >> resend a lower size packet or the original packet with DF 
> bit clear.
> >> In our case unfortunatelly the ICMP packet menitoned above
> >> goes out on the
> >> internet interface
> >> and therefore the originator never gets it, therefore it 
> will try to
> >> continue sending 1500 Byte
> >> packets until it gives up.
> >>
> >>> From what I've heard about this issue I have to establish an
> >> additional
> >> connection, but I've no clue
> >> what need to be in it.
> >>
> >> Zoltan
> >>
> >>> -----Original Message-----
> >>> From: temmink [mailto:temmink at vrisned.com]
> >>> Sent: Friday, July 08, 2005 8:28 AM
> >>> To: 'Gömöri Zoltán'
> >>> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> >>>
> >>> Hi,
> >>>
> >>> You cannot ping the vpn gateway, but you can ping the systems
> >>> behind the
> >>> gateway.
> >>> So actually you can ping through the vpn-machine itself.
> >>>
> >>> M. Temmink
> >>> www.vrisned.com
> >>>
> >>>
> >>>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: users-bounces at openswan.org
> >>> [mailto:users-bounces at openswan.org] Namens
> >>> Gömöri Zoltán
> >>> Verzonden: vrijdag 8 juli 2005 7:36
> >>> Aan: users at openswan.org
> >>> Onderwerp: [Openswan Users] Cannot ping the vpn gateway
> >>>
> >>> Hi,
> >>>
> >>> I'm using OpenS/WAN 2.3.1 and kernel 2.6.12.2 with native IPSEC
> >>>
> >>> I've the following setting in the ipsec.conf:
> >>>
> >>> include /etc/ipsec.d/examples/no_oe.conf
> >>>
> >>> conn Test
> >>> 	left=a.b.c.d
> >>> 	leftsubnet=10.0.0.0/8
> >>> 	leftid=@test.left
> >>> 	leftrsasigkey=XXXXXXXXXXXXXXXXXXX
> >>> 	leftnexthop=e.f.g.h
> >>> 	right=i.j.k.l
> >>> 	rightsubnet=10.15.14.0/24
> >>> 	rightid=@test.right
> >>> 	rightrsasigkey=YYYYYYYYYYYYYYYYYYY
> >>> 	rightnexthop=m.n.o.p
> >>> 	auto=add
> >>>
> >>>> From the point when I establish the Test connection I'm
> >> not able to
> >>>> ping the
> >>> right vpn gateway's internal ip (10.15.14.1) from the right
> >>> local subnet.
> >>> Can anybody tell me, how can I solve this?
> >>>
> >>> thank you
> >>> Zoltan
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at openswan.org
> >>> http://lists.openswan.org/mailman/listinfo/users
> >>>
> >>>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >>
> >
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
> 
> -- 
> 
>    "I am not even supposed to be here today!"  -- Clerk

More information about the Users mailing list