[Openswan Users] can ping from one side of tunnel but not from theother
Willie Gillespie
wgillespie+openswan at es2eng.com
Thu Nov 18 13:47:02 EST 2010
Your packet filter on openswan-right is dropping protocol 50 (ESP) packets.
Notice on "ubuntuFW" that you have:
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
I don't see that on "ellis"
matt.bazan at comcast.net wrote:
> here are the relevant details:
>
> RIGHT HAND SIDE:
>
> openswan-right at ellis:~$ sudo ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.23/K2.6.32-24-server (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> openswan-right at ellis:~$ sudo iptables -L
> Chain INPUT (policy DROP)
> target prot opt source destination
> ufw-before-logging-input all -- anywhere anywhere
> ufw-before-input all -- anywhere anywhere
> ufw-after-input all -- anywhere anywhere
> ufw-after-logging-input all -- anywhere anywhere
> ufw-reject-input all -- anywhere anywhere
> ufw-track-input all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ufw-before-logging-forward all -- anywhere anywhere
> ufw-before-forward all -- anywhere anywhere
> ufw-after-forward all -- anywhere anywhere
> ufw-after-logging-forward all -- anywhere anywhere
> ufw-reject-forward all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ufw-before-logging-output all -- anywhere anywhere
> ufw-before-output all -- anywhere anywhere
> ufw-after-output all -- anywhere anywhere
> ufw-after-logging-output all -- anywhere anywhere
> ufw-reject-output all -- anywhere anywhere
> ufw-track-output all -- anywhere anywhere
>
> Chain ufw-after-forward (1 references)
> target prot opt source destination
>
> Chain ufw-after-input (1 references)
> target prot opt source destination
> ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
> ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
> ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
> ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
> ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
> ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
> ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
>
> Chain ufw-after-logging-forward (1 references)
> target prot opt source destination
>
> Chain ufw-after-logging-input (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
>
> Chain ufw-after-logging-output (1 references)
> target prot opt source destination
>
> Chain ufw-after-output (1 references)
> target prot opt source destination
>
> Chain ufw-before-forward (1 references)
> target prot opt source destination
> ufw-user-forward all -- anywhere anywhere
>
> Chain ufw-before-input (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ufw-logging-deny all -- anywhere anywhere state INVALID
> DROP all -- anywhere anywhere state INVALID
> ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
> ACCEPT icmp -- anywhere anywhere icmp source-quench
> ACCEPT icmp -- anywhere anywhere icmp time-exceeded
> ACCEPT icmp -- anywhere anywhere icmp parameter-problem
> ACCEPT icmp -- anywhere anywhere icmp echo-request
> ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
> ufw-not-local all -- anywhere anywhere
> ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
> ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
> ufw-user-input all -- anywhere anywhere
>
> Chain ufw-before-logging-forward (1 references)
> target prot opt source destination
>
> Chain ufw-before-logging-input (1 references)
> target prot opt source destination
>
> Chain ufw-before-logging-output (1 references)
> target prot opt source destination
>
> Chain ufw-before-output (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ufw-user-output all -- anywhere anywhere
>
> Chain ufw-logging-allow (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] '
>
> Chain ufw-logging-deny (2 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere state INVALID limit: avg 3/min burst 10
> LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] '
>
> Chain ufw-not-local (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
> RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
> RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
> ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
> DROP all -- anywhere anywhere
>
> Chain ufw-reject-forward (1 references)
> target prot opt source destination
>
> Chain ufw-reject-input (1 references)
> target prot opt source destination
>
> Chain ufw-reject-output (1 references)
> target prot opt source destination
>
> Chain ufw-skip-to-policy-forward (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain ufw-skip-to-policy-input (7 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain ufw-skip-to-policy-output (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain ufw-track-input (1 references)
> target prot opt source destination
>
> Chain ufw-track-output (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere state NEW
> ACCEPT udp -- anywhere anywhere state NEW
>
> Chain ufw-user-forward (1 references)
> target prot opt source destination
>
> Chain ufw-user-input (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> ACCEPT udp -- anywhere anywhere udp dpt:ssh
> ACCEPT tcp -- anywhere anywhere tcp dpt:22022
> ACCEPT udp -- anywhere anywhere udp dpt:22022
> ACCEPT udp -- anywhere anywhere udp dpt:isakmp
> ACCEPT udp -- anywhere anywhere udp dpt:4500
>
> Chain ufw-user-limit (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain ufw-user-limit-accept (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain ufw-user-logging-forward (0 references)
> target prot opt source destination
>
> Chain ufw-user-logging-input (0 references)
> target prot opt source destination
>
> Chain ufw-user-logging-output (0 references)
> target prot opt source destination
>
> Chain ufw-user-output (1 references)
> target prot opt source destination
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> openswan-right at ellis:~$ sudo ufw status
> Status: active
>
> To Action From
> -- ------ ----
> 22 ALLOW Anywhere
> 22022 ALLOW Anywhere
> 500/udp ALLOW Anywhere
> 4500/udp ALLOW Anywhere
>
> ******************************************************************************************************************************
>
> LEFT HAND SIDE:
>
> openswan-left at ubuntuFW:~$ sudo ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.22/K2.6.31-14-server (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> openswan-left at ubuntuFW:~$ sudo iptables -L
> Chain INPUT (policy DROP)
> target prot opt source destination
> AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> AS0_ACCEPT all -- anywhere anywhere
> AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
> AS0_ACCEPT tcp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:915
> AS0_ACCEPT tcp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:914
> AS0_ACCEPT udp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW udp dpt:917
> AS0_ACCEPT udp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW udp dpt:916
> AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> AS0_WEBACCEPT tcp -- anywhere adsl-XX-XXX-X-XX.dsl.pltn13.pacbell.net state NEW tcp dpt:943
> ufw-before-logging-input all -- anywhere anywhere
> ufw-before-input all -- anywhere anywhere
> ufw-after-input all -- anywhere anywhere
> ufw-after-logging-input all -- anywhere anywhere
> ufw-reject-input all -- anywhere anywhere
> ufw-track-input all -- anywhere anywhere
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:isakmp
> ACCEPT udp -- anywhere anywhere udp dpt:4500
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
> AS0_OUT_S2C all -- anywhere anywhere
> ufw-before-logging-forward all -- anywhere anywhere
> ufw-before-forward all -- anywhere anywhere
> ufw-after-forward all -- anywhere anywhere
> ufw-after-logging-forward all -- anywhere anywhere
> ufw-reject-forward all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> AS0_OUT_LOCAL all -- anywhere anywhere
> ufw-before-logging-output all -- anywhere anywhere
> ufw-before-output all -- anywhere anywhere
> ufw-after-output all -- anywhere anywhere
> ufw-after-logging-output all -- anywhere anywhere
> ufw-reject-output all -- anywhere anywhere
> ufw-track-output all -- anywhere anywhere
>
> Chain AS0_ACCEPT (7 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain AS0_IN (7 references)
> target prot opt source destination
> ACCEPT all -- anywhere 5.5.0.1
> ACCEPT all -- anywhere 5.5.12.1
> ACCEPT all -- anywhere 5.5.4.1
> ACCEPT all -- anywhere 5.5.8.1
> ACCEPT all -- anywhere 192.168.0.0/16
> ACCEPT all -- anywhere 10.0.0.0/8
> ACCEPT all -- anywhere 172.16.0.0/12
> AS0_IN_POST all -- anywhere anywhere
>
> Chain AS0_IN_POST (1 references)
> target prot opt source destination
> AS0_OUT all -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain AS0_IN_PRE (2 references)
> target prot opt source destination
> AS0_IN all -- anywhere 5.5.4.0/22
> AS0_IN all -- anywhere 5.5.0.0/22
> AS0_IN all -- anywhere 5.5.12.0/22
> AS0_IN all -- anywhere 5.5.8.0/22
> AS0_IN all -- anywhere 172.16.0.0/12
> AS0_IN all -- anywhere 192.168.0.0/16
> AS0_IN all -- anywhere 10.0.0.0/8
> ACCEPT all -- anywhere anywhere
>
> Chain AS0_OUT (2 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain AS0_OUT_LOCAL (1 references)
> target prot opt source destination
> DROP icmp -- anywhere anywhere icmp redirect
> ACCEPT all -- anywhere anywhere
>
> Chain AS0_OUT_S2C (1 references)
> target prot opt source destination
> AS0_OUT all -- anywhere anywhere
>
> Chain AS0_WEBACCEPT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain ufw-after-forward (1 references)
> target prot opt source destination
>
> Chain ufw-after-input (1 references)
> target prot opt source destination
> RETURN udp -- anywhere anywhere udp dpt:netbios-ns
> RETURN udp -- anywhere anywhere udp dpt:netbios-dgm
> RETURN tcp -- anywhere anywhere tcp dpt:netbios-ssn
> RETURN tcp -- anywhere anywhere tcp dpt:microsoft-ds
> RETURN udp -- anywhere anywhere udp dpt:bootps
> RETURN udp -- anywhere anywhere udp dpt:bootpc
> RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
>
> Chain ufw-after-logging-forward (1 references)
> target prot opt source destination
>
> Chain ufw-after-logging-input (1 references)
> target prot opt source destination
>
> Chain ufw-after-logging-output (1 references)
> target prot opt source destination
>
> Chain ufw-after-output (1 references)
> target prot opt source destination
>
> Chain ufw-before-forward (1 references)
> target prot opt source destination
> ufw-user-forward all -- anywhere anywhere
>
> Chain ufw-before-input (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ufw-logging-deny all -- anywhere anywhere state INVALID
> DROP all -- anywhere anywhere state INVALID
> ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
> ACCEPT icmp -- anywhere anywhere icmp source-quench
> ACCEPT icmp -- anywhere anywhere icmp time-exceeded
> ACCEPT icmp -- anywhere anywhere icmp parameter-problem
> ACCEPT icmp -- anywhere anywhere icmp echo-request
> ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
> ufw-not-local all -- anywhere anywhere
> ACCEPT all -- BASE-ADDRESS.MCAST.NET/4 anywhere
> ACCEPT all -- anywhere BASE-ADDRESS.MCAST.NET/4
> ufw-user-input all -- anywhere anywhere
>
> Chain ufw-before-logging-forward (1 references)
> target prot opt source destination
>
> Chain ufw-before-logging-input (1 references)
> target prot opt source destination
>
> Chain ufw-before-logging-output (1 references)
> target prot opt source destination
>
> Chain ufw-before-output (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ufw-user-output all -- anywhere anywhere
>
> Chain ufw-logging-allow (0 references)
> target prot opt source destination
>
> Chain ufw-logging-deny (2 references)
> target prot opt source destination
>
> Chain ufw-not-local (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
> RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
> RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
> ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
> DROP all -- anywhere anywhere
>
> Chain ufw-reject-forward (1 references)
> target prot opt source destination
>
> Chain ufw-reject-input (1 references)
> target prot opt source destination
>
> Chain ufw-reject-output (1 references)
> target prot opt source destination
>
> Chain ufw-track-input (1 references)
> target prot opt source destination
>
> Chain ufw-track-output (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere state NEW
> ACCEPT udp -- anywhere anywhere state NEW
>
> Chain ufw-user-forward (1 references)
> target prot opt source destination
>
> Chain ufw-user-input (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> ACCEPT udp -- anywhere anywhere udp dpt:ssh
> ACCEPT all -- 192.168.0.0/24 anywhere
> ACCEPT all -- 10.0.0.0/24 anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:isakmp
> ACCEPT udp -- anywhere anywhere udp dpt:4500
> ACCEPT tcp -- anywhere anywhere tcp dpt:re-mail-ck
> ACCEPT udp -- anywhere anywhere udp dpt:re-mail-ck
> ACCEPT tcp -- anywhere anywhere tcp dpt:1723
> ACCEPT udp -- anywhere anywhere udp dpt:1723
> ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
> ACCEPT udp -- anywhere anywhere udp dpt:openvpn
>
> Chain ufw-user-limit (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] '
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain ufw-user-limit-accept (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain ufw-user-logging-forward (0 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain ufw-user-logging-input (0 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain ufw-user-logging-output (0 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain ufw-user-output (1 references)
> target prot opt source destination
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> openswan-left at ubuntuFW:~$ sudo ufw status
> Status: active
>
> To Action From
> -- ------ ----
> 22 ALLOW Anywhere
> Anywhere ALLOW 192.168.0.0/24
> Anywhere ALLOW 10.0.0.0/24
> 500/udp ALLOW Anywhere
> 4500/udp ALLOW Anywhere
> 50 ALLOW Anywhere
> 1723 ALLOW Anywhere
> 1194 ALLOW Anywhere
>
>
>
> thx,
> matt
> ----- "Randy Wyatt" <rwyatt at nvtl.com> wrote:
>
>> Have you run ipsec verify?
>>
>> Do you have forwarding enabled?
>>
>> What iptables rules are you using?
>>
>> Regards,
>> Randy
>>
>>
>> -----Original Message-----
>> From: users-bounces at openswan.org on behalf of matt.bazan at comcast.net
>> Sent: Wed 11/17/2010 9:14 PM
>> To: users at openswan.org
>> Subject: [Openswan Users] can ping from one side of tunnel but not
>> from theother
>>
>> Have a basic left hand side/ right hand side tunnel. i can ping from
>> the right hand side LAN IP of firewall running openswan (not behind
>> NAT device) to left hand side LAN IP of openswan server (again, not
>> behind NAT device) but am unable to ping from left hand LAN to right
>> hand LAN. using UFW for firewall setup and both sides have same rule
>> sets. have verified ipsec.conf config. what could i be missing?
>> according to logs tunnel is up on both ends (ping wouldnt work from
>> either side if this were the case, correct?) thx-
>>
>> -m
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list