IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Cant pass traffic through the VPN?!?!

From: Dayton Turner (turnerd_at_airg.com)
Date: Tue Mar 26 2002 - 01:43:40 CET

Well, I've finally got my freeswan session connected... Heh. I'm
attaching 192.168.1.10 to 192.168.1.64 (encrypting connection between 2
machines on the same lan) and after they establish, I cannot actually
send traffic through those ips! Its driving me nuts. Neither of them
have firewalls turned on at all. One machine (.64) is actually a vmware
window :P but it has a real ip, and communicates perfectly fine
normally, so I don't see this as an issue.

Down to the details.

Ipsec.conf:

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=0

conn site1-site2
        left=192.168.1.10
        right=192.168.1.64
        auto=add
        authby=rsasig
        leftid=@site1.company.com
        rightid=@site2.company.com
 
leftrsasigkey=0sAQPYZFT1j5pg+sCB0lOoz9YimuCk/nzWBmppB/nmiVkh7DDPn2jNidFC
6OIMIpdeXlD6MJGitbpdi2+xkJEmXN44A37FYIVOxysqzZ0kllNpvmxVO4AT4as5WzsIrG9C
DZczM8h3znlnTGzD71pCcL+lGBKai2gSsiXxdYIPA187tw==
 
rightrsasigkey=0sAQN0OWGS4yXNjNWeUSEDnLdGFf1nc0lWr+isFGx1MBV3SyQbfEYuTyJ
jGUnItRupMBO3iWAAzdSVhtN9+iLSyt7rPH3Du2oMxkmDQOxLaldqigT+TrwPOXiSIbJfr/r
3OUnJYYYkLokCOzVkB8Gbs0eFaGrhA4ZEASsJy28Am4VX/Q==

And after loading ipsec on either side, I run:

# ipsec auto --up site1-site2
104 "site1-site2" #1: STATE_MAIN_I1: initiate
106 "site1-site2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "site1-site2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "site1-site2" #1: STATE_MAIN_I4: ISAKMP SA established
112 "site1-site2" #2: STATE_QUICK_I1: initiate
004 "site1-site2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established

Great! They connected. Lets run ipsec look:

# ipsec look
radon Tue Mar 26 00:42:39 GMT 2002
192.168.1.10/32 -> 192.168.1.64/32 => tun0x1002_at_192.168.1.64
esp0x8187caec_at_192.168.1.64 (84)
ipsec0->eth0 mtu=16260(1443)->1500
esp0x8187caec_at_192.168.1.64 ESP_3DES_HMAC_MD5: dir=out src=192.168.1.10
iv_bits=64bits iv=0x4e93ede0d2607a72 ooowin=64 seq=42 alen=128 aklen=128
eklen=192
life(c,s,h)=bytes(4128,0,0)addtime(6364,0,0)usetime(6383,0,0)packets(42,
0,0) idle=591
esp0xec9ebd7b_at_192.168.1.10 ESP_3DES_HMAC_MD5: dir=in src=192.168.1.64
iv_bits=64bits iv=0x2db78ff8b074fd03 ooowin=64 alen=128 aklen=128
eklen=192 life(c,s,h)=addtime(6364,0,0)
tun0x1001_at_192.168.1.10 IPIP: dir=in src=192.168.1.64
life(c,s,h)=addtime(6364,0,0)
tun0x1002_at_192.168.1.64 IPIP: dir=out src=192.168.1.10
life(c,s,h)=bytes(2850,0,0)addtime(6364,0,0)usetime(6383,0,0)packets(42,
0,0) idle=591
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 40 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0
ipsec0
192.168.1.64 192.168.1.64 255.255.255.255 UGH 40 0 0
ipsec0

Looks okay to me... ?

Now when I ping or telnet or whatever between them, no traffic makes it
through. Tcpdump on either end verifies that the packets arent making
it.

Help!! 

--
Dayton Turner
Air Games Wireless Inc.
Suite 204, 309 W. Cordova St.
Vancouver BC V6B 1E5 Canada
Tel:    +1.604.408.2228
Fax:    +1.604.408.2649
Cell:   +1.604.710.2466
Email:  dayton_at_airg.com
Web:    www.airg.com

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:46 CEST