[Openswan Users] Tunnel up, some hosts work, others don't.

Richard Whittaker richard at avits.ca
Tue Feb 24 13:08:38 EST 2015 

Hi.

I am taking another crack at this in the hopes SOMEONE might have some 
helpful suggesteions. So far, my posts here and in the Ubuntu lists have 
been fruitless, so I will provide as much detail here as I can, and 
hopefully someone might have some suggestions, because I am stumped.

I have two private networks, and I have an openswan tunnel over the 
public internet tying them together.

192.168.0.0/18 on one side,
192.168.64.0/18 on the other side.

The gateways between the two networks, running openswan are on Ubuntu 
12.04 boxes.

Both ends have VMWare guests with a variety of operating systems.

I have a CentOS 5.10 server (vmware guest) on the remote network, I can 
access it from anywhere on the local network.
I have  Windows 2003R2 server (vmware guest) on the remote network, I 
can access it from anywhere on the local network.
I have an Ubuntu 12.04 server (vmware guest) on the remote network, and 
I can ping it from the local network, even with large packets:

---
root at prometheus:~# ping -c 10 db2.avits.ca
PING db2.avits.ca (192.168.64.9) 56(84) bytes of data.
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=1 ttl=62 time=20.0 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=2 ttl=62 time=16.7 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=3 ttl=62 time=15.4 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=4 ttl=62 time=25.5 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=5 ttl=62 time=15.9 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=6 ttl=62 time=16.0 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=7 ttl=62 time=14.8 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=8 ttl=62 time=19.7 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=9 ttl=62 time=14.1 ms
64 bytes from db2.avits.ca (192.168.64.9): icmp_seq=10 ttl=62 time=16.4 ms

--- db2.avits.ca ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9013ms
rtt min/avg/max/mdev = 14.141/17.504/25.572/3.252 ms
root at prometheus:~#

root at prometheus:~# ping -c 10 -s 2000 db2.avits.ca
PING db2.avits.ca (192.168.64.9) 2000(2028) bytes of data.
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=1 ttl=62 time=23.8 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=2 ttl=62 time=19.2 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=3 ttl=62 time=21.7 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=4 ttl=62 time=32.1 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=5 ttl=62 time=21.7 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=6 ttl=62 time=20.5 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=7 ttl=62 time=19.4 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=8 ttl=62 time=19.4 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=9 ttl=62 time=32.8 ms
2008 bytes from db2.avits.ca (192.168.64.9): icmp_seq=10 ttl=62 time=22.1 ms

--- db2.avits.ca ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9013ms
rtt min/avg/max/mdev = 19.227/23.319/32.864/4.800 ms
root at prometheus:~#

root at prometheus:~# traceroute -n db2.avits.ca
traceroute to db2.avits.ca (192.168.64.9), 30 hops max, 38 byte packets
  1  192.168.0.1  0.194 ms  0.180 ms  0.151 ms
  2  * * *
  3  192.168.64.9  21.298 ms  15.936 ms  13.980 ms
root at prometheus:~#

...so ICMP stuff works.

I try to SSH to the server..
root at prometheus:~# ssh -l richard db2.avits.ca
..........Waiting.......Waiting......

So... I SSH in to the CentOS 5.10 box on the remote network. It's on the 
same subnet as db2.

[root at illustrious ~]# traceroute db2
traceroute to db2 (192.168.64.9), 30 hops max, 40 byte packets
  1  db2.avits.ca (192.168.64.9)  0.709 ms  0.757 ms  0.737 ms
[root at illustrious ~]#

[root at illustrious ~]# ssh -l richard db2
richard at db2's password:
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.2.0-75-generic-pae i686)

...

So I ask, what is different on the Ubuntu 12.04 from the CentOS box that 
would be causing  the Ubuntu box to not send TCP traffic over the 
tunnel, but would allow ICMP traffic to pass? What do I look for? What 
do I tweak, poke, prod, and am I the only person on the planet that has 
come across this issue?

Thanks,
Hopeful for any kind of pointers, or suggestions!
Richard.


-- 
Alberni Valley IT Services

-------------- next part --------------
A non-text attachment was scrubbed...
Name: richard.vcf
Type: text/x-vcard
Size: 277 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150224/739e9a1d/attachment.vcf>

More information about the Users mailing list