[Openswan Users] Tunnel up but cannot ping the other side.

Jesper Langkjær jl at MINISOFT.DK
Mon Sep 22 01:57:48 EDT 2008 

Hi Peter

Funny but is was the MASQUERADE rule in the firewall that was the problem.
In the past this rule have never made any problem.

But anyway i put the "iptables -t nat -A POSTROUTING -o eth0 -d 192.168.37.34 -j RETURN" in just before the "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" and every thing works.

Thanke you for the help

Kind regards

Jesper Langkjær

-----Original Message-----
From: Peter McGill [mailto:petermcgill at goco.net]
Sent: Friday, September 19, 2008 4:13 PM
To: Jesper Langkjær
Subject: Re: [Openswan Users] Tunnel up but cannot ping the other side.


Jesper,

#1 Disable developer debugging, it is not usually helpful, but only adds 
excessive logs. Makes reading the logs for real debug info like looking 
for a needle in a haystack. Only turn it on, if asked by a developer to 
sort out your problem.
ipsec.conf:
config setup
	#klipsdebug=none
	#plutodebug=none

#2 Comment out or delete your conn %default section, it's not needed in 
this case and in fact is unpredictable in behavior since it is 
incorrectly indented.

#3 The leftsourceip= line you added needs to be indented with a single 
tab, like all indented lines in ipsec.conf. Indenting with multiple 
spaces can have unpredictable results.

#4 Your firewall is very complicated, so I'm not entirely sure but it 
looks mostly ok, except for:
Chain POSTROUTING (policy ACCEPT 674K packets, 40M bytes)
  pkts bytes target     prot opt in     out     source 
destination
10021  595K MASQUERADE  all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
Which means you have a line in your script something like this:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This will nat all traffic outbound to the internet (including in the 
ipsec tunnel) to come from your external internet ip. This will cause 
your pings and other communication over the tunnel to fail.
You need to add the following before it.
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.37.34 -j RETURN
This will prevent packets for the remote lan ip from being natted, thus 
allowing the communication to work.

#5 I cannot tell if the tunnel is connected or not, because barf could 
not find your logs. Did you or the system rotate them before the barf? 
They are likely in /var/log/secure*.

Restart pluto and iptables with the suggested changes. Then if your 
still having trouble, create a new barf, hopefully it will contain the 
logs. Also send me the ping output.


Peter

Jesper Langkjær wrote:
> Hi Peter
> 
> Thanks for the quick respons.
> 
> 
> I've try to add teh leftsourceip=10.27.1.28 aka the machine with openswan
> 
> I'm trying to ping 192.168.37.34 but it goes via our 83.xx.xxx.xx and not the tunnel.
> 
> I've attache the ipsec_barf.txt as requsted.
> 
> Could it be the route in ther other end that is missing ?
> 
> /Jesper
> 
> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]On
> Behalf Of Peter McGill
> Sent: Thursday, September 18, 2008 3:08 PM
> To: Jesper Langkjær
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Tunnel up but cannot ping the other side.
> 
> 
> Jesper,
> 
> First question, where are you pinging from a host in
> 10.27.1.0/24 or from the Fedora itself 83.xx.xxx.xx?
> It must come from 10.27.1.0/24 or else you must add
> leftsourceip=10.27.1.x (Fedora internal lan ip).
> The reverse is also true, if the remote admin pings
> 83.xx.xxx.xx this does not test the tunnel, he/she
> must ping a live host in 10.27.1.0/24.
> 
> Second, where are you pinging too, 192.168.37.34 or
> 217.yyy.yy.yy? You cannot ping 217.yyy.yy.yy because
> it is not in the subnets of the tunnel, but must ping
> 192.168.37.34 to test the tunnel.
> 
> Check your logs that your tunnel really is up and staying
> up (not disconnecting.)
> Look for pluto Quick Mode IPSec SA established.
> 
> Check your firewall isn't masquerading or blocking the tunnel
> traffic. The remote admin should do the same.
> 
> If you need help checking things out, then send an
> ipsec barf > ipsec_barf.txt as an attachment.
> 
> Peter
> 
> Jesper Langkjær wrote:
>> Hi.
>>
>> I have problem with pinging the other side of a tunnel.
>>
>> My page:
>> Fedora 4
>> Core 2.6.16.24
>> openswan-2.4.4-1.0.FC4.1
>>
>> The other side:
>> Hardware box, unknown
>>
>> IPSEC.CONF
>> config setup
>>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>>         # klipsdebug=none
>>         # klipsdebug=all
>>         # plutodebug="control parsing"
>>         # nat_traversal=yes
>>         nat_traversal=no
>>         interfaces="ipsec0=eth0"
>>
>> conn %default
>>     authby=rsasig
>>     leftrsasigkey=
>>  rightrsasigkey =
>>     left=%defaultroute
>>     keyingtries=1
>>     #keylife=1200s
>>     #ikelifetime=1200s
>>
>> #conn server_VPN
>> #        left=83.xx.xxx.xx
>> #        leftid=83.xx.xxx.xx
>> #        right=194.yyy.yyy.yy
>> #        rightsubnet=192.168.37.34/32
>> #        keyexchange=ike
>> #        keylife=2h
>> #        authby=secret
>> #        auto=start
>>
>>
>> conn server_VPN
>>        left=83.xx.xxx.xx
>>        leftid=83.xx.xxx.xx
>>        leftsubnet=10.27.1.0/24
>>        right=217.yyy.yy.yy
>>        rightsubnet=192.168.37.34/32
>>        pfs=no
>>        ike=3des-sha1
>>        esp=3des-sha1
>>        keyexchange=ike
>>        keylife=2h
>>        authby=secret
>>        auto=start
>>        auth=esp
>>
>> The first CONN ar an old one that has been working, but now they installed som new hardware/moved server and now it dosent work anymore.
>> When i run "service ipsec start" everything looks ok and the tunnel comes up.
>> The other side (217.yyy.yyy.yyy) can ping my side (83.xxx.xxx.xxx) but i can't ping them.
>>
>> Any advise ??
>>
>> Kind regards
>>
>> Jesper Langkjaer
>> *************************************************************************
>> Denne e-mail er scannet for virus og spam
>> *************************************************************************
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
> *************************************************************************
> Denne e-mail er scannet for virus og spam
> *************************************************************************
> 

*************************************************************************
Denne e-mail er scannet for virus og spam
*************************************************************************

More information about the Users mailing list