[Openswan Users] Tunnel up, can't ping!! Help is much appreciated!!

simon charles charlessimon at hotmail.com
Fri Nov 26 14:11:12 EST 2010


Rodrigo , 
            Your tcpdump indicates that traffic is going out through the tunnel. Could your Juniper guys look at the counters for encrypt/decrypt  of this vpn tunnel. If their counters are incrementing and they don't see the payload then its being dropped at Juniper and not forwarded to the inside network. At the very least they should see traffic from your vpn concentrator hit their interface ( phase 1 and phase 2 )

- Simon Charles - 




> From: rodrigomf at bl.com.mx
> Date: Thu, 25 Nov 2010 12:48:37 -0600
> To: paul at xelerance.com; wgillespie+openswan at es2eng.com
> CC: users at openswan.org
> Subject: Re: [Openswan Users] Tunnel up,	can't ping!! Help is much appreciated!!
> 
> Paul, Willie,
> 
> Thans A LOT for your responses.
> 
> I still cannot get pings through but there are more clues...
> 
> 1.- I tried adding forceencaps=yes to the conn part of my ipsec.conf with no results.
> 
> 2.- When I ping the zzz.zzz.zzz.3 box (private lan) from my CentOs box (xxx.xxx.xxx.1) I see this type of packages when doing a TCP dump:
> 
> -------------
> 12:37:21.458338 IP xxx.xxx.xxx.1  > yyy.yyy.yyy.2: ESP(spi=0xca766790,seq=0x32), length 116
> -------------
> 
> 
> I think this means some packets are getting out from my CentOs Box to their Juniper router, right?
> 
> 
> 
> 3.- When I stop iptables (service iptables stop) I get this when doing "iptables -L"
> 
> # iptables -L
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination    
> 
> I think it means there's no block from my part, right?
> 
> Any further help is GREATLY appreciated.
> 
> Thank you again!
> Rodrigo
> 
> 
> El 23/11/2010, a las 14:51, Paul Wouters escribió:
> 
> > On Tue, 23 Nov 2010, "Ing. Rodrigo Méndez" wrote:
> > 
> >> This is the result from ipsec verify:
> > 
> > Looks good.
> > 
> >> The people from the Juniper VPN concentrator say they don't see any traffic coming from our IPs, so it would seem there's no traffic coming out from Box 1
> >> (CentOS box). The strange thing is it doesn't work even if iptables is disabled (so no blocking is apparently occurring, or at least it isn't the main
> >> problem).
> >> My best guess now is that I'm having a routing problem. 
> > 
> > I don't think so...
> > 
> >> Any ideas on how to tell Linux to route the packages going to zzz.zzz.zzz.3 through the tunnel?? (I'm using netkey, not KLIPS)
> > 
> > manual routing should not be used. netlink will snatch the packets.
> > 
> >> I can't find any route to yyy.yyy.yyy.2 or zzz.zzz.zzz.3 (the box in the private lan) anywhere in the routing table. I'm not sure if this is OK.
> > 
> > that's fine.
> > 
> > It seems you have one interface online. Are you behind a port forward? Is your upstream
> > router filtering packets?
> > 
> > Try adding forceencaps=yes ?
> > 
> > 
> > Paul
> > 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101126/81115b4a/attachment.html 


More information about the Users mailing list