[Openswan Users] problems with ping to the other side of the VPN

Federico J. Fernández ffernandez at distopro.com
Fri Mar 3 08:41:23 CET 2006 

Thanks for your reply, Paul.

> Looks like the vpn gateway for 192.168.0.0 doesnt have ip forwarding
> enabled, or is mangling ipsec packets with NAT?

Sadly, I'm not controlling the other side (192.168.0.0). VPN end-point
at 192.168.0.0 is a hardware device, but they have other VPNs running
so I think that the ip_forwarding is enabled. I don't know a lot about
the firewall rules of that hardware device.. maybe the problem could
be there?

In my gateway (192.168.1.1 for 192.168.1.0 net) ip_forwarding is
enabled, and NAT was disabled in some tests (but normally it is
restricted to destinations different from 192.168.0.0/24).

To add some more information for the diagnostic, see what happens when
I trace a packet going from the 192.168.1.0 network to the
192.168.0.10 (in the other network).

 1:  curso (192.168.1.101)                                  0.213ms pmtu 1500
 1:  192.168.1.1 (192.168.1.1)                             12.106ms
 2:  192.168.1.1 (192.168.1.1)                            asymm  1  
2.370ms pmtu 1436
 3:  no reply
 4:  no reply
 5:  no reply
 6:  no reply
....

If I sniff the packets with tcpdump while i'm pinging i get:

23:28:31.673339 IP (tos 0x0, ttl  55, id 0, offset 0, flags [DF],
length: 112) globant.500 > 200-55-65-xx.dsl.prima.net.ar.500: isakmp
1.0 msgid : phase 2/others ? inf[E]: [encrypted hash]
23:28:31.674721 IP (tos 0x0, ttl  64, id 13355, offset 0, flags [DF],
length: 112) 200-55-65-xx.dsl.prima.net.ar.500 > globant.500: isakmp
1.0 msgid : phase 2/others ? inf[E]: [encrypted hash]
23:28:32.174275 IP (tos 0x0, ttl  64, id 49185, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005a)
23:28:33.174928 IP (tos 0x0, ttl  64, id 32581, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005b)
23:28:34.175640 IP (tos 0x0, ttl  64, id 49185, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005c)
23:28:35.176724 IP (tos 0x0, ttl  64, id 32581, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005d)
23:28:36.176934 IP (tos 0x0, ttl  64, id 49185, offset 0, flags [DF],
length: 136) 200-55-65-xx.dsl.prima.net.ar > globant:
ESP(spi=0xba34f913,seq=0x5960005e)

(200-55-65... host is my public IP, globant is an alias for the remote
end public IP)

I mean, some isakmp packets between 10 sec. and ESP traffic only going out..

Internet connection is through an ASDL Ethernet Modem.. maybe this
device is filtering ESP packets? maybe there is a problem in the other
end?

> > Following is the output of ipsec auto --up <connection> with a tcpdump
> > dumping the ipsec interface at port 500. Tell me if some other info is
> > required to be helped.
>
> That won't help. If the remote end is openswan, ask for 'ipsec verify'
> and/or 'ipsec barf' output.

As I said before, the remote end is a hardware device..

Thanks a lot!!

More information about the Users mailing list