[Openswan Users] IPSec SA estabished but no traffic goes out?
Martin Hillier
martin.hillier at nyquist-solutions.com
Mon Nov 28 12:15:02 CET 2005
I have just noticed something odd...
looking at the tcpdump on eth0 again...
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:10:59.494690 IP [right] > ??????.pureserver.info:
ESP(spi=0xef7a5888,seq=0x14)
12:10:59.494690 IP [right] > ??????.pureserver.info: icmp 24: echo request
seq 42768
12:11:09.495042 IP [right] > ??????.pureserver.info:
ESP(spi=0xef7a5888,seq=0x15)
12:11:09.495042 IP [right] > ??????.pureserver.info: icmp 24: echo request
seq 43368
I only see packets coming in from the right side of the vpn, nothing is
going back out.
I can ping the right ip address from ??????.pureserver.info and get replies
and can also ping the ??????.pureserver.info and get replies from another
ip.
Any ideas?
Martin.
----- Original Message -----
From: "Necati Demir" <necati at labristeknoloji.com>
To: <users at openswan.org>
Sent: Monday, November 28, 2005 12:03 PM
Subject: Re: [Openswan Users] IPSec SA estabished but no traffic goes out?
> Did u solve the problem?
> I have the same problem, it establishes but no traffic goes.
>
>> I still have no idea whats going on, either i am wondering if i am
>> being very dumb??
>>
>> I have taken the 2.6.11.12 kernel and compiled it with the following
>> network options
>>
>> CONFIG_PACKET=y
>> # CONFIG_PACKET_MMAP is not set
>> # CONFIG_NETLINK_DEV is not set
>> CONFIG_UNIX=y
>> CONFIG_NET_KEY=y
>> CONFIG_INET=y
>> # CONFIG_IP_MULTICAST is not set
>> # CONFIG_IP_ADVANCED_ROUTER is not set
>> # CONFIG_IP_PNP is not set
>> CONFIG_NET_IPIP=m
>> CONFIG_NET_IPGRE=m
>> # CONFIG_ARPD is not set
>> CONFIG_SYN_COOKIES=y
>> CONFIG_INET_AH=m
>> CONFIG_INET_ESP=m
>> CONFIG_INET_IPCOMP=m
>> CONFIG_INET_TUNNEL=m
>> CONFIG_IP_TCPDIAG=y
>> # CONFIG_IP_TCPDIAG_IPV6 is not set
>> CONFIG_IPV6=m
>> CONFIG_IPV6_PRIVACY=y
>> CONFIG_INET6_AH=m
>> CONFIG_INET6_ESP=m
>> CONFIG_INET6_IPCOMP=m
>> CONFIG_INET6_TUNNEL=m
>> # CONFIG_IPV6_TUNNEL is not set
>> # CONFIG_NETFILTER is not set
>> CONFIG_XFRM=y
>> CONFIG_XFRM_USER=m
>>
>> I have removed iptable support from the kernel
>>
>> I am trying the openswan programs 2.4.4 from the tarball at the moment.
>>
>> I have ip_forwarding enabled
>>
>> Tried removing SMP support from the kernel
>>
>> But every ping i send to the right subnet gets routed out on to eth0
>> and does no go out over the tunnel.
>>
>> Could I be missing a kernel config option?
>> Any ideas on what i should have a go at next?? Would it be worth
>> trying klips again? (it crashes the kernel each time i do an ipsec
>> --version)
>>
>>
>>> I hope you wanted me to remove the route:
>>>
>>> Destination Gateway Genmask Flags Metric Ref
>>> Use Iface
>>> 172.16.0.0 * 255.255.255.0 U 0 0
>>> 0 eth0
>>>
>>> This route gets added when the ipsec service starts
>>>
>>> Without this route pings to 172.16.0.1 produce...
>>>
>>> 19:28:08.103775 IP ???????.pureserver.info > 172.16.0.1: icmp 64:
>>> echo request seq 2
>>>
>>> and no replies, with tcpdump
>>>
>>> ----- Original Message ----- From: "Paul Wouters" <paul at xelerance.com>
>>> To: "Martin Hillier" <martin.hillier at nyquist-solutions.com>
>>> Cc: <users at openswan.org>
>>> Sent: Saturday, November 26, 2005 7:23 PM
>>> Subject: Re: [Openswan Users] IPSec SA estabished but no traffic goes
>>> out?
>>>
>>>
>>>> On Sat, 26 Nov 2005, Martin Hillier wrote:
>>>>
>>>>> Just changed it and restarted the service, brought the vpn up and
>>>>> its still
>>>>> producing arp packets on eth0 when pinging 172.16.0.1.
>>>>
>>>>
>>>> Remote the route that got inserted manually?
>>>>
>>>> Paul
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>>
>
>
--------------------------------------------------------------------------------
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list