[Openswan Users] Tunnel up but cannot ping the other side.

Peter McGill petermcgill at goco.net
Thu Sep 18 09:08:11 EDT 2008 

Jesper,

First question, where are you pinging from a host in
10.27.1.0/24 or from the Fedora itself 83.xx.xxx.xx?
It must come from 10.27.1.0/24 or else you must add
leftsourceip=10.27.1.x (Fedora internal lan ip).
The reverse is also true, if the remote admin pings
83.xx.xxx.xx this does not test the tunnel, he/she
must ping a live host in 10.27.1.0/24.

Second, where are you pinging too, 192.168.37.34 or
217.yyy.yy.yy? You cannot ping 217.yyy.yy.yy because
it is not in the subnets of the tunnel, but must ping
192.168.37.34 to test the tunnel.

Check your logs that your tunnel really is up and staying
up (not disconnecting.)
Look for pluto Quick Mode IPSec SA established.

Check your firewall isn't masquerading or blocking the tunnel
traffic. The remote admin should do the same.

If you need help checking things out, then send an
ipsec barf > ipsec_barf.txt as an attachment.

Peter

Jesper Langkjær wrote:
> Hi.
> 
> I have problem with pinging the other side of a tunnel.
> 
> My page:
> Fedora 4
> Core 2.6.16.24
> openswan-2.4.4-1.0.FC4.1
> 
> The other side:
> Hardware box, unknown
> 
> IPSEC.CONF
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         # klipsdebug=none
>         # klipsdebug=all
>         # plutodebug="control parsing"
>         # nat_traversal=yes
>         nat_traversal=no
>         interfaces="ipsec0=eth0"
> 
> conn %default
>     authby=rsasig
>     leftrsasigkey=
>  rightrsasigkey =
>     left=%defaultroute
>     keyingtries=1
>     #keylife=1200s
>     #ikelifetime=1200s
> 
> #conn server_VPN
> #        left=83.xx.xxx.xx
> #        leftid=83.xx.xxx.xx
> #        right=194.yyy.yyy.yy
> #        rightsubnet=192.168.37.34/32
> #        keyexchange=ike
> #        keylife=2h
> #        authby=secret
> #        auto=start
> 
> 
> conn server_VPN
>        left=83.xx.xxx.xx
>        leftid=83.xx.xxx.xx
>        leftsubnet=10.27.1.0/24
>        right=217.yyy.yy.yy
>        rightsubnet=192.168.37.34/32
>        pfs=no
>        ike=3des-sha1
>        esp=3des-sha1
>        keyexchange=ike
>        keylife=2h
>        authby=secret
>        auto=start
>        auth=esp
> 
> The first CONN ar an old one that has been working, but now they installed som new hardware/moved server and now it dosent work anymore.
> When i run "service ipsec start" everything looks ok and the tunnel comes up.
> The other side (217.yyy.yyy.yyy) can ping my side (83.xxx.xxx.xxx) but i can't ping them.
> 
> Any advise ??
> 
> Kind regards
> 
> Jesper Langkjaer
> *************************************************************************
> Denne e-mail er scannet for virus og spam
> *************************************************************************
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list