[Openswan Users] IPSec SA estabished but no traffic goes out?
Paul Wouters
paul at xelerance.com
Fri Nov 25 22:23:03 CET 2005
On Fri, 25 Nov 2005, Martin Hillier wrote:
> tcpdump -i eth0
>
> 19:48:37.115393 arp who-has 172.16.0.1 tell ??????.pureserver.info
> 19:48:38.115174 arp who-has 172.16.0.1 tell ??????.pureserver.info
>
> tcpdump host [right vpn ip]
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 19:50:00.461380 IP [right vpn ip] > p15179238.pureserver.info: ESP(spi=0x50a0c52c,seq=0x54)
> 19:50:00.461380 IP [right vpn ip] > p15179238.pureserver.info: icmp 24: echo request seq 24328
>
> But no extra ESP packets when i ping 172.16.0.1
Notice the arp for 172.16.0.1. Your machine believes 172.16.0.1 is in its local LAN.
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 10.255.255.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
> 172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Seems you're in the 172.16.0.0/24
> Two or more interfaces found, checking IP forwarding [FAILED]
that needs fixing too. Check /etc/sysctl.conf
> # nat_traversal=yes
> # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>
> conn mobius
> left=[Left IP]
> leftsubnet=192.168.0.0/24
> right=[Right IP]
> rightsubnet=172.16.0.0/24
> authby=secret
> auto=route
so where does 172.16.0.0/24 live? Off of eth0 or behind right= ? It cannot be
at both.
Paul
More information about the Users
mailing list