[Openswan Users] problems with ping to the other side of the VPN
Federico J. Fernández
ffernandez at distopro.com
Fri Mar 3 08:41:23 CET 2006
Thanks for your reply, Paul.
> Looks like the vpn gateway for 192.168.0.0 doesnt have ip forwarding
> enabled, or is mangling ipsec packets with NAT?
Sadly, I'm not controlling the other side (192.168.0.0). VPN end-point
at 192.168.0.0 is a hardware device, but they have other VPNs running
so I think that the ip_forwarding is enabled. I don't know a lot about
the firewall rules of that hardware device.. maybe the problem could
be there?
In my gateway (192.168.1.1 for 192.168.1.0 net) ip_forwarding is
enabled, and NAT was disabled in some tests (but normally it is
restricted to destinations different from 192.168.0.0/24).
To add some more information for the diagnostic, see what happens when
I trace a packet going from the 192.168.1.0 network to the
192.168.0.10 (in the other network).
1: curso (192.168.1.101) 0.213ms pmtu 1500
1: 192.168.1.1 (192.168.1.1) 12.106ms
2: 192.168.1.1 (192.168.1.1) asymm 1
2.370ms pmtu 1436
3: no reply
4: no reply
5: no reply
6: no reply
....
If I sniff the packets with tcpdump while i'm pinging i get:
23:28:31.673339 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF],
length: 112) globant.500 > 200-55-65-xx.dsl.prima.net.ar.500: isakmp
1.0 msgid : phase 2/others ? inf[E]: [encrypted hash]
23:28:31.674721 IP (tos 0x0, ttl 64, id 13355, offset 0, flags [DF],
length: 112) 200-55-65-xx.dsl.prima.net.ar.500 > globant.500: isakmp
1.0 msgid : phase 2/others ? inf[E]: [encrypted hash]
23:28:32.174275 IP (tos 0x0, ttl 64, id 49185, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005a)
23:28:33.174928 IP (tos 0x0, ttl 64, id 32581, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005b)
23:28:34.175640 IP (tos 0x0, ttl 64, id 49185, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005c)
23:28:35.176724 IP (tos 0x0, ttl 64, id 32581, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005d)
23:28:36.176934 IP (tos 0x0, ttl 64, id 49185, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005e)
(200-55-65... host is my public IP, globant is an alias for the remote
end public IP)
I mean, some isakmp packets between 10 sec. and ESP traffic only going out..
Internet connection is through an ASDL Ethernet Modem.. maybe this
device is filtering ESP packets? maybe there is a problem in the other
end?
> > Following is the output of ipsec auto --up <connection> with a tcpdump
> > dumping the ipsec interface at port 500. Tell me if some other info is
> > required to be helped.
>
> That won't help. If the remote end is openswan, ask for 'ipsec verify'
> and/or 'ipsec barf' output.
As I said before, the remote end is a hardware device..
Thanks a lot!!
More information about the Users
mailing list