[Openswan Users] can ping from one side of tunnel but not from theother
matt.bazan at comcast.net
matt.bazan at comcast.net
Thu Nov 18 00:52:04 EST 2010
here are the relevant details:
RIGHT HAND SIDE:
openswan-right at ellis:~$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.23/K2.6.32-24-server (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
openswan-right at ellis:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] '
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere state INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:22022
ACCEPT udp -- anywhere anywhere udp dpt:22022
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:4500
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
openswan-right at ellis:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22022 ALLOW Anywhere
500/udp ALLOW Anywhere
4500/udp ALLOW Anywhere
******************************************************************************************************************************
LEFT HAND SIDE:
openswan-left at ubuntuFW:~$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.22/K2.6.31-14-server (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
openswan-left at ubuntuFW:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_ACCEPT tcp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:915
AS0_ACCEPT tcp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:914
AS0_ACCEPT udp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW udp dpt:917
AS0_ACCEPT udp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW udp dpt:916
AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:943
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:4500
Chain FORWARD (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain AS0_ACCEPT (7 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_IN (7 references)
target prot opt source destination
ACCEPT all -- anywhere 5.5.0.1
ACCEPT all -- anywhere 5.5.12.1
ACCEPT all -- anywhere 5.5.4.1
ACCEPT all -- anywhere 5.5.8.1
ACCEPT all -- anywhere 192.168.0.0/16
ACCEPT all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere 172.16.0.0/12
AS0_IN_POST all -- anywhere anywhere
Chain AS0_IN_POST (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_IN all -- anywhere 5.5.4.0/22
AS0_IN all -- anywhere 5.5.0.0/22
AS0_IN all -- anywhere 5.5.12.0/22
AS0_IN all -- anywhere 5.5.8.0/22
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere anywhere
Chain AS0_OUT (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere
Chain AS0_OUT_S2C (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere
Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp dpt:netbios-ns
RETURN udp -- anywhere anywhere udp dpt:netbios-dgm
RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn
RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds
RETURN udp -- anywhere anywhere udp dpt:bootps
RETURN udp -- anywhere anywhere udp dpt:bootpc
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
Chain ufw-logging-deny (2 references)
target prot opt source destination
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:4500
ACCEPT tcp -- anywhere anywhere tcp dpt:re-mail-ck
ACCEPT udp -- anywhere anywhere udp dpt:re-mail-ck
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT udp -- anywhere anywhere udp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-logging-input (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-logging-output (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-output (1 references)
target prot opt source destination
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
openswan-left at ubuntuFW:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
Anywhere ALLOW 192.168.0.0/24
Anywhere ALLOW 10.0.0.0/24
500/udp ALLOW Anywhere
4500/udp ALLOW Anywhere
50 ALLOW Anywhere
1723 ALLOW Anywhere
1194 ALLOW Anywhere
thx,
matt
----- "Randy Wyatt" <rwyatt at nvtl.com> wrote:
> Have you run ipsec verify?
>
> Do you have forwarding enabled?
>
> What iptables rules are you using?
>
> Regards,
> Randy
>
>
> -----Original Message-----
> From: users-bounces at openswan.org on behalf of matt.bazan at comcast.net
> Sent: Wed 11/17/2010 9:14 PM
> To: users at openswan.org
> Subject: [Openswan Users] can ping from one side of tunnel but not
> from theother
>
> Have a basic left hand side/ right hand side tunnel. i can ping from
> the right hand side LAN IP of firewall running openswan (not behind
> NAT device) to left hand side LAN IP of openswan server (again, not
> behind NAT device) but am unable to ping from left hand LAN to right
> hand LAN. using UFW for firewall setup and both sides have same rule
> sets. have verified ipsec.conf config. what could i be missing?
> according to logs tunnel is up on both ends (ping wouldnt work from
> either side if this were the case, correct?) thx-
>
> -m
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list