[Openswan Users] Cannot ping from net to net configuration (solved)

Daniele Melosi Mailing2004 at melosi.it
Wed Apr 26 11:19:26 CEST 2006 

Solved!!!

It was *only* a firewall problem. My ACL blocked proto 50 packets. :-(

Daniele Melosi wrote:
> Good Afternoon,
> 
> I've this strange problem (i'm unable to ping from net to net) with an 
> ipsec net2net configuration; the config file is:
> 
> -- start conf file ---
> config setup
>         #interfaces=%defaultroute
>         #forwardcontrol=yes
>         klipsdebug=all
>         plutodebug=all
> 
> conn firenzemilano
>                 left=xxx.yyy.97.30
>                 leftsubnet=192.168.70.0/24
>                 # RSA 2048 bits   ipsec2mi   Thu Apr 20 18:49:38 2006
>                 leftrsasigkey=0sAQOSN9lKw9Op8wqDjCbhPkiSVS[cut]
>                 leftid=@ipsec2mi.xxxx.it
>                 #leftnexthop=%defaultroute
>                 right=xxx.yyy.127.25
>                 rightsubnet=zzz.yyyy.122.208/29
>                 # RSA 2048 bits   ipsec2fi   Tue Oct 25 06:28:37 2005
>                 rightrsasigkey=0sAQNplGefFpF4jygV[cut]
>                 rightid=@ipsec2fi.xxxx.it
>                 auto=add
>                 #auto=start
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec/ipsec.d/examples/no_oe.conf
> -- end conf file --
> 
> when I started the connection I received the following output:
> ipsec2fi ~ # ipsec auto --up firenzemilano
> 104 "firenzemilano" #19: STATE_MAIN_I1: initiate
> 003 "firenzemilano" #19: received Vendor ID payload [Openswan (this 
> version) 2.4.4  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> 003 "firenzemilano" #19: received Vendor ID payload [Dead Peer Detection]
> 106 "firenzemilano" #19: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "firenzemilano" #19: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "firenzemilano" #19: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
> group=modp1536}
> 117 "firenzemilano" #20: STATE_QUICK_I1: initiate
> 004 "firenzemilano" #20: STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0xd88f34a2 <0xf12f0b18 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> 
> with tcpdump (on ipsec2f18:01:32.670821 IP (tos 0x0, ttl  64, id 0, 
> offset 0, flags [DF], proto: UDP (17), length: 240) xxx.yyy.127.25.500 > 
> xxx.yyy.97.30.500: isakmp 1.0 msgid : phase 1 I ident: [|sa]
> 18:01:32.712631 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 144) xxx.yyy.97.30.500 > xxx.yyy.127.25.500: isakmp 
> 1.0 msgid : phase 1 R ident: [|sa]
> 18:01:32.723233 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 272) xxx.yyy.127.25.500 > xxx.yyy.97.30.500: isakmp 
> 1.0 msgid : phase 1 I ident: [|ke]
> 18:01:32.789140 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 272) xxx.yyy.97.30.500 > xxx.yyy.127.25.500: isakmp 
> 1.0 msgid : phase 1 R ident: [|ke]
> 18:01:32.817444 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 344) xxx.yyy.127.25.500 > xxx.yyy.97.30.500: isakmp 
> 1.0 msgid : phase 1 I ident[E]: [encrypted id]
> 18:01:32.899139 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 344) xxx.yyy.97.30.500 > xxx.yyy.127.25.500: isakmp 
> 1.0 msgid : phase 1 R ident[E]: [encrypted id]
> 18:01:32.914608 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 464) xxx.yyy.127.25.500 > xxx.yyy.97.30.500: isakmp 
> 1.0 msgid : phase 2/others I oakley-quick[E]: [encrypted hash]
> 18:01:32.993829 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 376) xxx.yyy.97.30.500 > xxx.yyy.127.25.500: isakmp 
> 1.0 msgid : phase 2/others R oakley-quick[E]: [encrypted hash]
> 18:01:33.032381 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: 
> UDP (17), length: 80) xxx.yyy.127.25.500 > xxx.yyy.97.30.500: isakmp 1.0 
> msgid : phase 2/others I oakley-quick[E]: [encrypted hash]
> 
> ipsec verify returns:
> ipsec2fi ~ # ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.4/K2.6.16.9-dada01dada (netkey)
> Checking for IPsec support in kernel                            [OK]
> Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [OK]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
> Opportunistic Encryption Support                                [DISABLED]
> 
> ip_forward is enable on both gateway
> 
> In this situation I'm unable to ping any host behind the first gw 
> (ipsec2mi) from any host behind the second gw (ipsec2fi).
> 
> Please give me some troubleshooting tips.
> 
> Thanks in advance.
> Daniele

More information about the Users mailing list