[Openswan Users] Packets being dropped

lee hughes toxicnaan at gmail.com
Sun May 8 04:48:27 CEST 2005


hmm, I'm not really understanding your topology?

did you send the whole trace route, if your trying to traceroute the
ipsec tunnel, then it's not going to say that much.

if you draw a diagram like this

LAN
10.10.0.245---------192.168.1.75-----------------Internet?--------------192.168.1.102-----10.10.0.48

I can see a maybe problem, when ever I use openswan, I'm always going
between subnet's, the two end subnets with the number you gave me are
on the same subnet 10.10.0.xxx , now I'm sure this is going to cause
problems, you could try renumber the both end's to different subnets,
let say 10.10.0.245/24 and 10.10.1.48/24 perhaps?

I'm not sure if openswan will operate in this manner, I think you need
to be propertly routing, you could probably do this with gre and
bridge by piping down layer 2 packets donw the ipsec tunnel?? is this
what you are after perhaps?


37ms latency, can I presume you've replace the two 192.168.1.xxx
instread of real internet numbers? have you? they are both on the same
subnet, should cause a problem, are you using a default route? and
what's it point too?

I can help you a little better with the next question,

> As I understand it the 2.6 code doesn't allow the openswan gateway to
> ping anything(and it is evidenced by it trying to send private ip
> addresses out the public internet gateway).  Could that have anything
> to do with it?
> 

I run 2.6, and my gateway can do that fine, I think that's more to do
with iptables and your firewall rules then anything else? perhaps
iptables is getting in the way?

I'm about out of idea's on this one, your perhaps better off talking
to one of the openswan guru's on here??

Laters,

On 5/7/05, Jeremy Mann <jrmann1999 at gmail.com> wrote:
> From my win2k device behind a Dlink gateway...
> 
> tracert 192.168.1.75
> 
> 1     2ms        1ms        2ms         10.10.0.245
> 2    37ms        37ms        37ms         192.168.1.75
> 
> 10.10.0.245 is the ip address of my gateway device(the dlink)
> 
> my local ip address on this machine is 10.10.0.248
> 
> I could ping the link forever and never get a drop or timeout, it's
> solely when I send any other type of data across the route...
> 
> From the other end:
> 
> chat root # traceroute 10.10.0.148
> traceroute to 10.10.0.148 (10.10.0.148), 30 hops max, 40 byte packets
>  1  192.168.1.102 (192.168.1.102)  0.464 ms  0.455 ms  0.362 ms
>  2  10.10.0.148 (10.10.0.148)  36.466 ms  42.440 ms  38.211 ms
> 
> 192.168.1.102 is the remote network openswan server, the local ip
> address was 192.168.1.75
> 
> As I understand it the 2.6 code doesn't allow the openswan gateway to
> ping anything(and it is evidenced by it trying to send private ip
> addresses out the public internet gateway).  Could that have anything
> to do with it?
> 
> Tracing route
> 
> On 5/7/05, lee hughes <toxicnaan at gmail.com> wrote:
> > you've got a few
> >
> >  carrier:6          collisions:36887 txqueuelen:1000
> >
> > on your tx eth1, nothing ot be worried about, but might indicate a
> > faulty card (if it's connected to a switch).
> >
> > might be a MTU packet size problem, try pinging the remote gateway
> > with different size packets, and post you results..
> >
> > some diag from the remote end may be useful.
> >
> > also, a traceroute or tracepath of the internet route between you and
> > your remote gateway,
> > looks for unsually large number of hops, or packet loss.
> >
> > has this link been working before? or is a new link?
> >
> > On 5/7/05, Jeremy Mann <jrmann1999 at gmail.com> wrote:
> > > I am experiencing a problem with packets needing retransmission.  I'm
> > > doing a gateway to gateway connection from my home(dynamic IP) to my
> > > office.  The tunnel never dies, but if I try to do an SSH session
> > > across the tunnel, I can login just fine but running a ps -ef or top
> > > or whatever displays a little text then just locks up.  I've done a
> > > tethereal dump and this is what I see:
> > >
> > > root@$ tethereal -f 'net 10.10.0.0/24' -i eth1
> > > ...
> > >  6.149398  10.10.0.148 -> 192.168.1.75 TCP [TCP Dup ACK 115#4] 2347 >
> > > ssh [ACK] Seq=2216 Ack=2651 Win=16404 Len=0 SLE=2318769310
> > > SRE=2318769366 SLE=2318767850 SRE=2318767906
> > >   6.149526  10.10.0.148 -> 192.168.1.75 TCP [TCP Dup ACK 115#5] 2347 >
> > > ssh [ACK] Seq=2216 Ack=2651 Win=16404 Len=0 SLE=2318769310
> > > SRE=2318769366 SLE=2318767850 SRE=2318767906
> > >   6.282641 192.168.1.75 -> 10.10.0.148  SSHv2 [TCP Retransmission]
> > > Encrypted response packet len=1404
> > >   6.786695 192.168.1.75 -> 10.10.0.148  SSHv2 [TCP Retransmission]
> > > Encrypted response packet len=1404
> > >   7.794792 192.168.1.75 -> 10.10.0.148  SSHv2 [TCP Retransmission]
> > > Encrypted response packet len=1404
> > >   9.810995 192.168.1.75 -> 10.10.0.148  SSHv2 [TCP Retransmission]
> > > Encrypted response packet len=1404
> > >  13.843391 192.168.1.75 -> 10.10.0.148  SSHv2 [TCP Retransmission]
> > > Encrypted response packet len=1404
> > >
> > > The last bit happens over and over, which makes me thing something is
> > > being dropped.  Attached is the output of ipsec barf, I could use some
> > > help if possible....
> > >
> > > The tunnel in question is home-tunnel, and I added ip addresses to my
> > > ethernet interfaces with ip addr add instead of doing an ifconfig
> > > eth0:#
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > >
> > >
> > >
> > >
> >
>


More information about the Users mailing list