[Openswan Users] 1.0.8, strange problem with pings

Wed May 18 09:39:25 CEST 2005

Hello!

I run openswan on several hosts.

There is main host with several eth interfaces and there are peripheral 
hosts with 2 interfaces.

Very strange problem is that main host sometimes do not pass icmps from 
ipsecX to ethX.

Schema is following

192.168.22.220 ---main LAN <----eth0(192.168.22.203)  
ipsec2(eth2)(172.16.4.2) -------> <---eth0(ipsec0)(172.16.4.20)--eth1 
(192.168.111.1)-->LAN

Here is what I get:

on 192.168.22.220:

vader:~ # ping 192.168.111.1
PING 192.168.111.1 (192.168.111.1) from 192.168.22.220 : 56(84) bytes of 
data.

--- 192.168.111.1 ping statistics ---
5 packets transmitted, 0 received, 100% loss, time 4043ms

On host with freeswan:

vpn_22_203: -root-
# tcpdump -i ipsec2
tcpdump: listening on ipsec2
03:36:03.781851 192.168.22.220 > 192.168.111.1: icmp: echo request (DF)
03:36:04.791345 192.168.22.220 > 192.168.111.1: icmp: echo request (DF)
03:36:05.791377 192.168.22.220 > 192.168.111.1: icmp: echo request (DF)
03:36:06.791649 192.168.22.220 > 192.168.111.1: icmp: echo request (DF)

But nothing goes to eth2:

# tcpdump -i eth2
tcpdump: listening on eth2

If I ping from another host from LAN , f.e. 192.168.22.229:

[dm at dm dm]$ ping 192.168.111.1
PING 192.168.111.1 (192.168.111.1) 56(84) bytes of data.
64 bytes from 192.168.111.1: icmp_seq=1 ttl=63 time=20.6 ms
64 bytes from 192.168.111.1: icmp_seq=2 ttl=63 time=34.8 ms
64 bytes from 192.168.111.1: icmp_seq=3 ttl=63 time=19.2 ms

# tcpdump -i ipsec2
tcpdump: listening on ipsec2
03:37:31.537058 192.168.22.229 > 192.168.111.1: icmp: echo request (DF)
03:37:31.564922 192.168.111.1 > 192.168.22.229: icmp: echo reply

# tcpdump -i eth2
tcpdump: listening on eth2
03:37:43.637609 172.16.4.2 > 172.16.4.20: ESP(spi=0x2eefeeb0,seq=0x16)
03:37:43.695564 172.16.4.20 > 172.16.4.2: ESP(spi=0x578ceb5b,seq=0x16)
03:37:44.639082 172.16.4.2 > 172.16.4.20: ESP(spi=0x2eefeeb0,seq=0x17)
03:37:44.720881 172.16.4.20 > 172.16.4.2: ESP(spi=0x578ceb5b,seq=0x17)
03:37:45.641055 172.16.4.2 > 172.16.4.20: ESP(spi=0x2eefeeb0,seq=0x18)
03:37:45.699849 172.16.4.20 > 172.16.4.2: ESP(spi=0x578ceb5b,seq=0x18)
03:37:46.950542 172.16.4.20 > 172.16.4.2: ESP(spi=0x578ceb5c,seq=0x1f6)
03:37:46.951541 172.16.4.2 > 172.16.4.20: ESP(spi=0x2eefeeb1,seq=0x1ee)

I.e. all is OK.

But other (not icmp) traffic works OK:

from 192.168.22.220:vader:~ # ssh 192.168.111.1
The authenticity of host '192.168.111.1 (192.168.111.1)' can't be 
established.
RSA key fingerprint is 43:63:4f:32:dd:ae:dd:eb:29:75:81:89:7e:fa:f3:81.
Are you sure you want to continue connecting (yes/no)?

Any ideas?

btw, sometimes this problem can be solved by restarting ipsec, but only 
for some time...