[Openswan Users] IPSec SA estabished but no traffic goes out?
Martin Hillier
martin.hillier at nyquist-solutions.com
Wed Nov 30 15:24:20 CET 2005
I have just been told that from the right side they can ping 192.168.0.10
ok?? but i still cant get to them from the left subnet?
Martin.
----- Original Message -----
From: "Martin Hillier" <martin.hillier at nyquist-solutions.com>
To: <users at openswan.org>
Sent: Monday, November 28, 2005 12:15 PM
Subject: Re: [Openswan Users] IPSec SA estabished but no traffic goes out?
>I have just noticed something odd...
>
> looking at the tcpdump on eth0 again...
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 12:10:59.494690 IP [right] > ??????.pureserver.info:
> ESP(spi=0xef7a5888,seq=0x14)
> 12:10:59.494690 IP [right] > ??????.pureserver.info: icmp 24: echo request
> seq 42768
> 12:11:09.495042 IP [right] > ??????.pureserver.info:
> ESP(spi=0xef7a5888,seq=0x15)
> 12:11:09.495042 IP [right] > ??????.pureserver.info: icmp 24: echo request
> seq 43368
>
> I only see packets coming in from the right side of the vpn, nothing is
> going back out.
>
> I can ping the right ip address from ??????.pureserver.info and get
> replies and can also ping the ??????.pureserver.info and get replies from
> another ip.
>
> Any ideas?
>
> Martin.
>
> ----- Original Message -----
> From: "Necati Demir" <necati at labristeknoloji.com>
> To: <users at openswan.org>
> Sent: Monday, November 28, 2005 12:03 PM
> Subject: Re: [Openswan Users] IPSec SA estabished but no traffic goes out?
>
>
>> Did u solve the problem?
>> I have the same problem, it establishes but no traffic goes.
>>
>>> I still have no idea whats going on, either i am wondering if i am
>>> being very dumb??
>>>
>>> I have taken the 2.6.11.12 kernel and compiled it with the following
>>> network options
>>>
>>> CONFIG_PACKET=y
>>> # CONFIG_PACKET_MMAP is not set
>>> # CONFIG_NETLINK_DEV is not set
>>> CONFIG_UNIX=y
>>> CONFIG_NET_KEY=y
>>> CONFIG_INET=y
>>> # CONFIG_IP_MULTICAST is not set
>>> # CONFIG_IP_ADVANCED_ROUTER is not set
>>> # CONFIG_IP_PNP is not set
>>> CONFIG_NET_IPIP=m
>>> CONFIG_NET_IPGRE=m
>>> # CONFIG_ARPD is not set
>>> CONFIG_SYN_COOKIES=y
>>> CONFIG_INET_AH=m
>>> CONFIG_INET_ESP=m
>>> CONFIG_INET_IPCOMP=m
>>> CONFIG_INET_TUNNEL=m
>>> CONFIG_IP_TCPDIAG=y
>>> # CONFIG_IP_TCPDIAG_IPV6 is not set
>>> CONFIG_IPV6=m
>>> CONFIG_IPV6_PRIVACY=y
>>> CONFIG_INET6_AH=m
>>> CONFIG_INET6_ESP=m
>>> CONFIG_INET6_IPCOMP=m
>>> CONFIG_INET6_TUNNEL=m
>>> # CONFIG_IPV6_TUNNEL is not set
>>> # CONFIG_NETFILTER is not set
>>> CONFIG_XFRM=y
>>> CONFIG_XFRM_USER=m
>>>
>>> I have removed iptable support from the kernel
>>>
>>> I am trying the openswan programs 2.4.4 from the tarball at the moment.
>>>
>>> I have ip_forwarding enabled
>>>
>>> Tried removing SMP support from the kernel
>>>
>>> But every ping i send to the right subnet gets routed out on to eth0
>>> and does no go out over the tunnel.
>>>
>>> Could I be missing a kernel config option?
>>> Any ideas on what i should have a go at next?? Would it be worth
>>> trying klips again? (it crashes the kernel each time i do an ipsec
>>> --version)
>>>
>>>
>>>> I hope you wanted me to remove the route:
>>>>
>>>> Destination Gateway Genmask Flags Metric Ref
>>>> Use Iface
>>>> 172.16.0.0 * 255.255.255.0 U 0 0
>>>> 0 eth0
>>>>
>>>> This route gets added when the ipsec service starts
>>>>
>>>> Without this route pings to 172.16.0.1 produce...
>>>>
>>>> 19:28:08.103775 IP ???????.pureserver.info > 172.16.0.1: icmp 64:
>>>> echo request seq 2
>>>>
>>>> and no replies, with tcpdump
>>>>
>>>> ----- Original Message ----- From: "Paul Wouters" <paul at xelerance.com>
>>>> To: "Martin Hillier" <martin.hillier at nyquist-solutions.com>
>>>> Cc: <users at openswan.org>
>>>> Sent: Saturday, November 26, 2005 7:23 PM
>>>> Subject: Re: [Openswan Users] IPSec SA estabished but no traffic goes
>>>> out?
>>>>
>>>>
>>>>> On Sat, 26 Nov 2005, Martin Hillier wrote:
>>>>>
>>>>>> Just changed it and restarted the service, brought the vpn up and
>>>>>> its still
>>>>>> producing arp packets on eth0 when pinging 172.16.0.1.
>>>>>
>>>>>
>>>>> Remote the route that got inserted manually?
>>>>>
>>>>> Paul
>>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>>
>>
>>
>
>
> --------------------------------------------------------------------------------
>
>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list