[Openswan Users] Openswan IPSEC tunel established but it work from one side only

Dario Garay dgaray at gsystems.com.ar
Fri Jan 7 13:58:17 EST 2011 

And this is very strange.... the ping from 192.168.1.7 works whit ipsec service Stopped.


[root at Georouter ~]# ipsec auto --down g2tog1
[root at Georouter ~]# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
[root at Georouter ~]# ipsec setup --status
IPsec stopped
[root at Georouter ~]# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=253 time=5.98 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=253 time=7.82 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=253 time=5.79 ms
64 bytes from 192.168.2.1: icmp_seq=4 ttl=253 time=6.26 ms
64 bytes from 192.168.2.1: icmp_seq=5 ttl=253 time=6.47 ms
64 bytes from 192.168.2.1: icmp_seq=6 ttl=253 time=5.71 ms


And route command say that the net 192.168.2.0 not exist in the route now

Route

192.168.1.83    *               255.255.255.255 UH    0      0        0 pptp3
192.168.1.82    *               255.255.255.255 UH    0      0        0 pptp2
192.168.1.81    *               255.255.255.255 UH    0      0        0 pptp1
192.168.1.80    *               255.255.255.255 UH    0      0        0 pptp0
192.168.1.84    *               255.255.255.255 UH    0      0        0 pptp4
200.61.168.116  *               255.255.255.252 U     0      0        0 eth2
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
192.168.15.0    *               255.255.255.0   U     0      0        0 eth0



 R. Dario Garay
 Dto. de Tecnologia

 Tel. +5411 4342-9691
 dgaray at geosystems.com.ar
 www.geosystems.com.ar


-----Mensaje original-----
De: users-bounces at openswan.org [mailto:users-bounces at openswan.org] En nombre de Dario Garay
Enviado el: Viernes, 07 de Enero de 2011 03:44 p.m.
Para: Willie Gillespie; users at openswan.org
Asunto: Re: [Openswan Users] Openswan IPSEC tunel established but it work from one side only

Willie
Here´re the results

Ping from gateway to your VPN router
Test 1) ping from 192.168.1.7 to 192.168.2.1
---------------------------------------------
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=253 time=6.65 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=253 time=6.84 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=253 time=6.15 ms
64 bytes from 192.168.2.1: icmp_seq=4 ttl=253 time=7.55 ms


Test 2) ping from 192.168.2.1 to 192.168.1.7
--------------------------------------------
192.168.1.7 ping statistics
6 packets transmitted, 0 received, 100% packet loss, time 5008ms


Ping from a subnet computer to the routers
Test 3) ping from 192.168.1.0/24 subnet to 192.168.2.1
------------------------------------------------------
>ping 192.168.2.1
Haciendo ping a 192.168.2.1 con 32 bytes de datos:
Respuesta desde 192.168.2.1: bytes=32 tiempo=6ms TTL=252
Respuesta desde 192.168.2.1: bytes=32 tiempo=6ms TTL=252
Respuesta desde 192.168.2.1: bytes=32 tiempo=6ms TTL=252
Respuesta desde 192.168.2.1: bytes=32 tiempo=6ms TTL=252
Estadísticas de ping para 192.168.2.1:
    Paquetes: enviados = 4, recibidos = 4, perdidos = 0
    (0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
    Mínimo = 6ms, Máximo = 6ms, Media = 6ms

Test 4) ping from 192.168.2.0/24 subnet to 192.168.1.7
------------------------------------------------------
Estadísticas de ping para 192.168.1.7:
    Paquetes: enviados = 4, recibidos = 0, perdidos = 4
    (100% perdidos),


Ping from subnet to subnet
Test 5) ping from 192.168.1.0/24 subnet to 192.168.2.0/24 subnet
----------------------------------------------------------------
Estadísticas de ping para 192.168.2.111:
    Paquetes: enviados = 4, recibidos = 0, perdidos = 4
    (100% perdidos),

Test 6) ping from 192.168.2.0/24 subnet to 192.168.1.0/24 subnet
----------------------------------------------------------------
Estadísticas de ping para 192.168.1.9:
    Paquetes: enviados = 4, recibidos = 0, perdidos = 4
    (100% perdidos),



Dario Garay


-----Mensaje original-----
De: Willie Gillespie [mailto:wgillespie+openswan at es2eng.com] 
Enviado el: Viernes, 07 de Enero de 2011 03:18 p.m.
Para: Dario Garay; users at openswan.org
Asunto: Re: [Openswan Users] Openswan IPSEC tunel established but it work from one side only

Dario Garay wrote:
> Question: what I have to check in Iptables or rc.firewall?

Since you noted that the IPsec tunnel is up and working, at this point 
you just need to make sure that you can forward packets to and from your 
subnet.

A few tests you can try:
Ping from gateway to your VPN router
Test 1) ping from 192.168.1.7 to 192.168.2.1
Test 2) ping from 192.168.2.1 to 192.168.1.7

Ping from a subnet computer to the routers
Test 3) ping from 192.168.1.0/24 subnet to 192.168.2.1
Test 4) ping from 192.168.2.0/24 subnet to 192.168.1.7

Ping from subnet to subnet
Test 5) ping from 192.168.1.0/24 subnet to 192.168.2.0/24 subnet
Test 6) ping from 192.168.2.0/24 subnet to 192.168.1.0/24 subnet

That will help you narrow down what works and what doesn't.
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list