[Openswan Users] Tunnel up, some hosts work, others don't.
silvertip257 at gmail.com
Thu Feb 26 09:17:56 EST 2015
On Wed, Feb 25, 2015 at 1:19 PM, Richard Whittaker <richard at avits.ca> wrote:
> On 2015-02-25 09:57, SilverTip257 wrote:
> Here's some captures from one of my "near" hosts to one of the non working
> "far" hosts...
Those packet captures appear to indicate no problems. Established TCP
session and so forth.
I believe it would be better for you to tell tcpdump not to resolve host
names -n (you could do the same for ports if you cared -nn). That way
we're focusing on a layer3 problem.
I'd also suggest a list of what host has what IP address. I don't know
<prometheus.avits.ca> address is or which it should be using (across the
tunnel I'd expect RFC1918 like your other hosts). I'm resolving
prometheus' hostname to a public which isn't in that 192.168.0.0/18 network.
~]$ dig -t A prometheus.avits.ca +short
# I suppose you may have DNS views that are coming into play here
# Another reason to leave out the DNS resolution on your packet captures :-)
~]$ dig -t A db2.avits.ca +short
# Maybe it's time for a full diagram ... ASCII would do or Visio/Dia hosted
on an image sharing site would suffice.
While it would be helpful to see your OpenSwan config for this tunnel, it
may not be necessary.
I expect db2 is trying to connect to prometheus' public IP address. Try
excluding DNS from the equation by pinging from db2 to prometheus' address
in the 192.168.0.0/18 network.
> If I need to provide a more detailed session, please let me know.
Since you're using SSH to remotely control those systems, you might use
some other protocol/port to troubleshoot. You said TCP doesn't work across
the tunnel from <prometheus> to <db2>. If there isn't some other TCP
application, you might use netcat to do tests in either direction and this
will allow you to filter your packet capture to that traffic easily.
* Start with determining if traffic is being generated with addresses that
will match (your 192.168.0.0/18 and 192.168.64.0/18 networks) and be sent
over the tunnel.
// SilverTip257 //
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users