[Openswan Users] Tunnel up, can't ping!! Help is much appreciated!!

"Ing. Rodrigo Méndez" rodrigomf at bl.com.mx
Thu Nov 25 13:48:37 EST 2010 

Paul, Willie,

Thans A LOT for your responses.

I still cannot get pings through but there are more clues...

1.- I tried adding forceencaps=yes to the conn part of my ipsec.conf with no results.

2.- When I ping the zzz.zzz.zzz.3 box (private lan) from my CentOs box (xxx.xxx.xxx.1) I see this type of packages when doing a TCP dump:

-------------
12:37:21.458338 IP xxx.xxx.xxx.1  > yyy.yyy.yyy.2: ESP(spi=0xca766790,seq=0x32), length 116
-------------


I think this means some packets are getting out from my CentOs Box to their Juniper router, right?



3.- When I stop iptables (service iptables stop) I get this when doing "iptables -L"

# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    

I think it means there's no block from my part, right?

Any further help is GREATLY appreciated.

Thank you again!
Rodrigo


El 23/11/2010, a las 14:51, Paul Wouters escribió:

> On Tue, 23 Nov 2010, "Ing. Rodrigo Méndez" wrote:
> 
>> This is the result from ipsec verify:
> 
> Looks good.
> 
>> The people from the Juniper VPN concentrator say they don't see any traffic coming from our IPs, so it would seem there's no traffic coming out from Box 1
>> (CentOS box). The strange thing is it doesn't work even if iptables is disabled (so no blocking is apparently occurring, or at least it isn't the main
>> problem).
>> My best guess now is that I'm having a routing problem. 
> 
> I don't think so...
> 
>> Any ideas on how to tell Linux to route the packages going to zzz.zzz.zzz.3 through the tunnel?? (I'm using netkey, not KLIPS)
> 
> manual routing should not be used. netlink will snatch the packets.
> 
>> I can't find any route to yyy.yyy.yyy.2 or zzz.zzz.zzz.3 (the box in the private lan) anywhere in the routing table. I'm not sure if this is OK.
> 
> that's fine.
> 
> It seems you have one interface online. Are you behind a port forward? Is your upstream
> router filtering packets?
> 
> Try adding forceencaps=yes ?
> 
> 
> Paul
>

More information about the Users mailing list