No subject


Tue Feb 5 18:22:43 EST 2013 

Did you check the proper firewall settings?

Yes, I deactivate iptables rules as a test and the same problem happened.


Dzionek,

Are ICMP packets encapsulted in esp headers?  Use tcpdump with protocol
option set to esp and see if there is any traffiic coming out and check for
udp packets with port 4500 (for NAT Traversal traffic).

Yes,

tcpdump:

17:37:19.384983 IP IP_WAN_LEFT.ipsec-nat-t > IP_WAN_RIGHT.ipsec-nat-t:
UDP-encap: ESP(spi=0x5b745fa8,seq=0xd), length 92
17:37:19.454113 IP IP_WAN_RIGHT.ipsec-nat-t > 172.30.1.254.ipsec-nat-t:
UDP-encap: ESP(spi=0xdec1dc15,seq=0xd), length 92

Regards,
Marcelo



2013/2/20 Piotr Dzionek <piotr.dzionek at intercon.pl>

> **
> Are ICMP packets encapsulted in esp headers?  Use tcpdump with protocol
> option set to esp and see if there is any traffiic coming out and check for
> udp packets with port 4500 (for NAT Traversal traffic).
>
> W dniu 19.02.2013 23:32, Marcelo Moras pisze:
>
>  Hi,
>
> I Established a connection with openswan and 2 linux CentOs.
>
> scenario:
> |
> 10.0.0.0/24---172.30.1.254|---|200.x.x.x|---INTERNET---|201.X.X.X--192.168.222.0/20|<http://10.0.0.0/24---172.30.1.254%7C---%7C200.x.x.x%7C---INTERNET---%7C201.X.X.X--192.168.222.0/20%7C>
>
> |Firewall-OpenSwan         |   | router  |              |OpenSwan
>             |
>
> Logs OK
> sent QI2, IPsec SA established
> ISAKMP SA established
>
> Tunnel OK
> IPsec running  - pluto pid: 9153
> pluto pid 9153
> 1 tunnels up
>
> But I can not ping from one station to another ip
> Ping from 10.0.0.122 to 192.168.222.10
>
> tcpdump Firewall-OpenSwan (left)
> IP 10.0.0.122 > 192.168.222.10: ICMP echo request, id 512, seq 26759,
> length 40
>
> tcpdump Openswan (right)
> 10.0.0.122 > 192.168.222.10: ICMP echo request, id 512, seq 27527, length
> 40
>
> Do not have the reply, can someone help me?
>
>  Regards,
>  Marcelo
>
>
> _______________________________________________
> Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>

--f46d044795a3575f0e04d62e1af2
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Patrick,<br><br>From what I&#39;ve read on this =
list, NATed connections may not work very wel. Did you check the proper fir=
ewall settings?<br><br>Yes, I deactivate iptables rules as a test and the s=
ame problem happened.<br>
<br><br>Dzionek, <br><br>Are ICMP packets encapsulted in esp headers?=A0 Us=
e tcpdump with protocol option set to esp and see if there is any traffiic =
coming out and check for udp packets with port 4500 (for NAT Traversal traf=
fic). <br>
<br>Yes,<br><br>tcpdump:<br><br>17:37:19.384983 IP IP_WAN_LEFT.ipsec-nat-t =
&gt; IP_WAN_RIGHT.ipsec-nat-t: UDP-encap: ESP(spi=3D0x5b745fa8,seq=3D0xd), =
length 92<br>17:37:19.454113 IP IP_WAN_RIGHT.ipsec-nat-t &gt; 172.30.1.254.=
ipsec-nat-t: UDP-encap: ESP(spi=3D0xdec1dc15,seq=3D0xd), length 92<br>
<br></div>Regards,<br></div>Marcelo<br><br></div><div class=3D"gmail_extra"=
><br><br><div class=3D"gmail_quote">2013/2/20 Piotr Dzionek <span dir=3D"lt=
r">&lt;<a href=3D"mailto:piotr.dzionek at intercon.pl" target=3D"_blank">piotr=
.dzionek at intercon.pl</a>&gt;</span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><u></u>


 =20
 =20

<div bgcolor=3D"#ffffff" text=3D"#000000">
Are ICMP packets encapsulted in esp headers?=A0 Use tcpdump with protocol
option set to esp and see if there is any traffiic coming out and check
for udp packets with port 4500 (for NAT Traversal traffic). <br>
<br>
W dniu 19.02.2013 23:32, Marcelo Moras pisze:
<blockquote type=3D"cite"><div><div class=3D"h5">
  <div dir=3D"ltr">
  <div>
  <div>Hi,<br>
  <br>
I Established a connection with openswan and 2 linux CentOs.<br>
  <br>
scenario:<br>
|<a href=3D"http://10.0.0.0/24---172.30.1.254%7C---%7C200.x.x.x%7C---INTERN=
ET---%7C201.X.X.X--192.168.222.0/20%7C" target=3D"_blank">10.0.0.0/24---172=
.30.1.254|---|200.x.x.x|---INTERNET---|201.X.X.X--192.168.222.0/20|</a><br>

  <br>
|Firewall-OpenSwan=A0=A0=A0=A0=A0=A0=A0=A0 |=A0=A0 | router=A0 |=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 |OpenSwan=A0=A0=A0
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 |<br>
  <br>
Logs OK<br>
sent QI2, IPsec SA established<br>
ISAKMP SA established<br>
  <br>
Tunnel OK<br>
IPsec running=A0 - pluto pid: 9153<br>
pluto pid 9153<br>
1 tunnels up<br>
  <br>
But I can not ping from one station to another ip<br>
Ping from 10.0.0.122 to 192.168.222.10<br>
  <br>
tcpdump Firewall-OpenSwan (left)<br>
IP 10.0.0.122 &gt; <a href=3D"http://192.168.222.10" target=3D"_blank">192.=
168.222.10</a>: ICMP echo request, id
512, seq 26759, length 40<br>
  <br>
tcpdump Openswan (right)<br>
10.0.0.122 &gt; <a href=3D"http://192.168.222.10" target=3D"_blank">192.168=
.222.10</a>:
ICMP echo request, id 512, seq 27527, length 40<br>
  <br>
Do not have the reply, can someone help me?<br>
  <br>
  </div>
Regards,<br>
  </div>
Marcelo<br>
  </div>
  </div></div><pre><fieldset></fieldset>
_______________________________________________
<div class=3D"im"><a href=3D"mailto:Users at lists.openswan.org" target=3D"_bl=
ank">Users at lists.openswan.org</a>
<a href=3D"https://lists.openswan.org/mailman/listinfo/users" target=3D"_bl=
ank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href=3D"https://flattr.com/thing/38387/IPsec-for-Linux-ma=
de-easy" target=3D"_blank">https://flattr.com/thing/38387/IPsec-for-Linux-m=
ade-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href=3D"http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?=
n=3D283155" target=3D"_blank">http://www.amazon.com/gp/product/1904811256/1=
04-3099591-2946327?n=3D283155</a>
  </div></pre>
</blockquote>
<br>
</div>

<br>_______________________________________________<br>
<a href=3D"mailto:Users at lists.openswan.org">Users at lists.openswan.org</a><br=
>
<a href=3D"https://lists.openswan.org/mailman/listinfo/users" target=3D"_bl=
ank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href=3D"https://flattr.com/thing/38387/IPsec-for-Linux-ma=
de-easy" target=3D"_blank">https://flattr.com/thing/38387/IPsec-for-Linux-m=
ade-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href=3D"http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?=
n=3D283155" target=3D"_blank">http://www.amazon.com/gp/product/1904811256/1=
04-3099591-2946327?n=3D283155</a><br>
<br></blockquote></div><br></div>

--f46d044795a3575f0e04d62e1af2--

More information about the Users mailing list