[Openswan Users] Cannot ping from net to net configuration

Daniele Melosi Mailing2004 at melosi.it
Mon Apr 24 19:15:24 CEST 2006 

Good Afternoon,

I've this strange problem (i'm unable to ping from net to net) with an 
ipsec net2net configuration; the config file is:

-- start conf file ---
config setup
         #interfaces=%defaultroute
         #forwardcontrol=yes
         klipsdebug=all
         plutodebug=all

conn firenzemilano
                 left=xxx.yyy.97.30
                 leftsubnet=192.168.70.0/24
                 # RSA 2048 bits   ipsec2mi   Thu Apr 20 18:49:38 2006
                 leftrsasigkey=0sAQOSN9lKw9Op8wqDjCbhPkiSVS[cut]
                 leftid=@ipsec2mi.xxxx.it
                 #leftnexthop=%defaultroute
                 right=xxx.yyy.127.25
                 rightsubnet=zzz.yyyy.122.208/29
                 # RSA 2048 bits   ipsec2fi   Tue Oct 25 06:28:37 2005
                 rightrsasigkey=0sAQNplGefFpF4jygV[cut]
                 rightid=@ipsec2fi.xxxx.it
                 auto=add
                 #auto=start

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
-- end conf file --

when I started the connection I received the following output:
ipsec2fi ~ # ipsec auto --up firenzemilano
104 "firenzemilano" #19: STATE_MAIN_I1: initiate
003 "firenzemilano" #19: received Vendor ID payload [Openswan (this 
version) 2.4.4  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "firenzemilano" #19: received Vendor ID payload [Dead Peer Detection]
106 "firenzemilano" #19: STATE_MAIN_I2: sent MI2, expecting MR2
108 "firenzemilano" #19: STATE_MAIN_I3: sent MI3, expecting MR3
004 "firenzemilano" #19: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1536}
117 "firenzemilano" #20: STATE_QUICK_I1: initiate
004 "firenzemilano" #20: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0xd88f34a2 <0xf12f0b18 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}

with tcpdump (on ipsec2f18:01:32.670821 IP (tos 0x0, ttl  64, id 0, 
offset 0, flags [DF], proto: UDP (17), length: 240) xxx.yyy.127.25.500 > 
xxx.yyy.97.30.500: isakmp 1.0 msgid : phase 1 I ident: [|sa]
18:01:32.712631 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 144) xxx.yyy.97.30.500 > xxx.yyy.127.25.500: isakmp 
1.0 msgid : phase 1 R ident: [|sa]
18:01:32.723233 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 272) xxx.yyy.127.25.500 > xxx.yyy.97.30.500: isakmp 
1.0 msgid : phase 1 I ident: [|ke]
18:01:32.789140 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 272) xxx.yyy.97.30.500 > xxx.yyy.127.25.500: isakmp 
1.0 msgid : phase 1 R ident: [|ke]
18:01:32.817444 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 344) xxx.yyy.127.25.500 > xxx.yyy.97.30.500: isakmp 
1.0 msgid : phase 1 I ident[E]: [encrypted id]
18:01:32.899139 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 344) xxx.yyy.97.30.500 > xxx.yyy.127.25.500: isakmp 
1.0 msgid : phase 1 R ident[E]: [encrypted id]
18:01:32.914608 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 464) xxx.yyy.127.25.500 > xxx.yyy.97.30.500: isakmp 
1.0 msgid : phase 2/others I oakley-quick[E]: [encrypted hash]
18:01:32.993829 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 376) xxx.yyy.97.30.500 > xxx.yyy.127.25.500: isakmp 
1.0 msgid : phase 2/others R oakley-quick[E]: [encrypted hash]
18:01:33.032381 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: 
UDP (17), length: 80) xxx.yyy.127.25.500 > xxx.yyy.97.30.500: isakmp 1.0 
msgid : phase 2/others I oakley-quick[E]: [encrypted hash]

ipsec verify returns:
ipsec2fi ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.16.9-dada01dada (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]

ip_forward is enable on both gateway

In this situation I'm unable to ping any host behind the first gw 
(ipsec2mi) from any host behind the second gw (ipsec2fi).

Please give me some troubleshooting tips.

Thanks in advance.
Daniele

More information about the Users mailing list