[Openswan Users] problems with ping to the other side of the VPN

Wed Mar 1 16:29:16 CET 2006

Hi!

I'm setting up a VPN to some other net (that I don't manage), but I
have problems pinging boxes at the other side.

The conection is set up perfect, and from the other gateway the pings works ok.

I mean, I have two internal networks, mine is 192.168.1.0 and the
other is 192.168.0.0. From the gateway of the 192.168.0.0 net they can
ping internal machines in the 192.168.1.0 network. But, from the
192.168.1.1 I can't ping (none of the packets arrive) the remote
machines.

Following is the output of ipsec auto --up <connection> with a tcpdump
dumping the ipsec interface at port 500. Tell me if some other info is
required to be helped.

Thanks!

07:14:34.231253 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 1 I agg
07:14:34.270753 IP IP_RIGHT.500 > IP_LEFT.500: isakmp: phase 1 R agg
07:14:34.374562 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 1 I agg[E]
07:14:34.432885 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 2/others
I oakley-quick[E]
07:14:34.471192 IP IP_RIGHT.500 > IP_LEFT.500: isakmp: phase 2/others
R oakley-quick[E]
07:14:34.654451 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 2/others
I oakley-quick[E]
gateway ~ #
07:14:35.153979 IP IP_RIGHT.500 > IP_LEFT.500: isakmp: phase 1 I ident
104 "openswana-openswanb" #3: STATE_MAIN_I1: initiate
07:14:35.186103 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 1 R ident
003 "openswana-openswanb" #3: received Vendor ID payload [Dead Peer Detection]
07:14:35.209538 IP IP_RIGHT.500 > IP_LEFT.500: isakmp: phase 1 I ident
106 "openswana-openswanb" #3: STATE_MAIN_I2: sent MI2, expecting MR2
07:14:35.350106 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 1 R ident
07:14:35.368349 IP IP_RIGHT.500 > IP_LEFT.500: isakmp: phase 1 I ident[E]
108 "openswana-openswanb" #3: STATE_MAIN_I3: sent MI3, expecting MR3
07:14:35.397937 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 1 R ident[E]
004 "openswana-openswanb" #3: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=
oakley_sha group=modp1024}
07:14:35.423764 IP IP_RIGHT.500 > IP_LEFT.500: isakmp: phase 2/others
I oakley-quick[E]
117 "openswana-openswanb" #4: STATE_QUICK_I1: initiate
07:14:35.578015 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 2/others
R oakley-quick[E]
07:14:35.596710 IP IP_RIGHT.500 > IP_LEFT.500: isakmp: phase 2/others
I oakley-quick[E]
004 "openswana-openswanb" #4: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0xba3451bd <0x4ba67966 xfrm=3DES_0-HMAC_SH
A1 NATD=none DPD=none}
gateway ~ # 07:14:35.629619 IP IP_LEFT.500 > IP_RIGHT.500: isakmp:
phase 2/others R inf[E]
07:14:35.632397 IP IP_RIGHT.500 > IP_LEFT.500: isakmp: phase 2/others I inf[E]
07:14:35.633773 IP IP_LEFT.500 > IP_RIGHT.500: isakmp: phase 2/others I inf[E]

(where IP_RIGHT and IP_LEFT are the public IPs of both end-points)