[Openswan Users] Problems with a tunnel

Michael mjm159 at ext.canterbury.ac.nz
Sun May 8 23:07:42 CEST 2005


Hi Michael (no not me, you),

I would take a good look at the returning ICMP packet.  The most obvious
suggestion is that the returning packet does not look like what your
(presumably stateful) firewall is expecting.  Perhaps the pinged client
is sending out dud checksums or returning the packet from another
interface and hence IP address.

Capture the packets with something like "tcpdump -i <dev> -s 2000 -w
icmp.cap -p icmp" and have a look at it in ethereal.

Cheers,
Michael (no not you, me).
  

On Sun, 2005-05-08 at 11:27 +0200, Michael Schwartzkopff wrote:
> Hi,
> 
> we have defined a tunnel between two subnets. Everything was working fine for 
> half a year. Pings went from here to there and back. Now something strange 
> happened:
> 
> From the left subnet I can ping only one computer in the right subnet, but not 
> the second. If I do tcpdump on the interfaces of the right firewall I see:
> 
> - one encyrpted packet is comming in on the ext. IF
> - one ICMP echo request is leaving the internal IF
> - one ICMP echo reply is entering the internal IF
> - NO encrypted packet is leaving the external IF
> 
> - Pings to an other computer in the right subnet work.
> - I think I did all the firewalling correcly. I even tried to add special 
> ACCEPT rules. These rules are triggered.
> - Routing seems to be correcly.
> - I restarted the ipsec tunnel with ipsec auto --down / --up
> 
> Any idea where the packets are disappear?
> Any idea how I can trace the packets on the way through the kernel?
> 
> Setup: 
> Kernel 2.4.20-4GB and freeswan-1.99_0.9.34-93 from SuSE 8.2 professional.
> 
> 
> Thanks for any help
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users



More information about the Users mailing list