IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] tunnel active? but still no traffic going through the tunnel

From: Stephan Scheufen (s.scheufen_at_ebv.com)
Date: Sat Mar 30 2002 - 16:07:54 CET

Hi Freeswan Gurus!

please excuse my stupid questions but i´m not sure whats going on here in my
1th VPN config...
i read a lot of docu but i still can´t find the solution.

here´s my installation:
-----------------------
client-a 192.168.241.199
   |
subnet-a 192.168.241.0/24
   |
tabor-intif 192.168.241.10
tabor-extif dynamic
   |
*internet*
   |
gate-extif dynamic
gate-intif 192.168.0.1
   |
subnet-b 192.168.0.0/24
   |
client-b 192.168.0.51

i can not ping from client-a to client-b...and vice versa.
i even can´t see where the packages leaving the subnet´s.
but i´m sure that client-a has as standard gateway tabor-intif and client-b
has gate-intif as standard gateway and both gateways (tabor and gate) have
ipforwarding enabled. I tested this by pinging from client-a and client-b to
www.ebv.com and it works.

i´m nearly to jump out of the window because it seems that i´m stupid...;-)

can somebody assist me?? please....(not to do the window jump...:-))
if would be nice if somebody can help me via PM so that i can learn from you

regards from Germany
Stephan

NB: here are some infos about the connections.

if i do on tabor the command "ipsec auto --up sw-cs" i get:
----------------------------------------------------------------------------
-
tabor:~ # ipsec auto --up sw-cs
102 "sw-cs" #1: STATE_MAIN_I1: initiate
104 "sw-cs" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2
106 "sw-cs" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3
004 "sw-cs" #1: STATE_MAIN_I4: ISAKMP SA established
110 "sw-cs" #2: STATE_QUICK_I1: initiate
004 "sw-cs" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
----------------------------------------------------------------------------
-

and "ipsec look" shows:
----------------------------------------------------------------------------
-
tabor:~ # ipsec look
tabor Sat Mar 30 15:44:54 CET 2002
192.168.241.0/24 -> 192.168.0.0/24 => tun0x1002_at_217.224.158.92
esp0x32a94c4e_at_217.224.158.92
ipsec0->ppp0 mtu=16260->1492
esp0x32a94c4e_at_217.224.158.92 ESP_3DES_HMAC_MD5: dir=out src=80.133.143.119
iv_bits=64bits iv=0x20ff5b689a6bd2de ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(28,0,0)
esp0xcff4aa1a_at_80.133.143.119 ESP_3DES_HMAC_MD5: dir=in src=217.224.158.92
iv_bits=64bits iv=0x2234544289f2967e ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(28,0,0)
tun0x1001_at_80.133.143.119 IPIP: dir=in src=217.224.158.92
life(c,s,h)=add(28,0,0)
tun0x1002_at_217.224.158.92 IPIP: dir=out src=80.133.143.119
life(c,s,h)=add(28,0,0)
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 217.5.98.52 0.0.0.0 UG 40 0 0
ppp0
192.168.0.0 217.5.98.52 255.255.255.0 UG 40 0 0
ipsec0
217.5.98.52 0.0.0.0 255.255.255.255 UH 40 0 0
ipsec0
217.5.98.52 0.0.0.0 255.255.255.255 UH 40 0 0
ppp0
----------------------------------------------------------------------------
-
so everything seems to be OK with the tunnel...
but i can´t "ping 192.168.0.51" on the 192.168.241.199....it gives "timeout"
:-(

here is also my ipsec.conf:
----------------------------------------------------------------------------
-
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        forwardcontrol=yes

# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # RSA authentication with keys from DNS.
        authby=rsasig
        #leftrsasigkey=%dns
        #rightrsasigkey=%dns

# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
        left=%defaultroute
        right=%opportunistic
        # uncomment to enable incoming; change to auto=route for outgoing
        #auto=add

conn sw-cs
        # Left security gateway, subnet behind it, next hop toward right.
        left=scheufenworld.dyndns.org
        leftsubnet=192.168.241.0/24
        leftnexthop=%defaultroute
        leftrsasigkey=x01036540361ce....
        #leftfirewall=yes
        # Right security gateway, subnet behind it, next hop toward left.
        right=copyservice.dyndns.org
        rightsubnet=192.168.0.0/24
        rightnexthop=%defaultroute
        rightrsasigkey=x01038217e8a0.....
        #rightfirewall=yes
        # To authorize this connection, but not actually start it, at
startup,
        # uncomment this.
        auto=add
----------------------------------------------------------------------------
-
>
> Stephan Scheufen - IT Systems and Office Support Europe
> EBV ELEKTRONIK
> Lötscher Weg 66 - D-41334 Nettetal - Germany
> Fon: +49-2153-733-315 - Fax: 310 - Mail: s.scheufen_at_ebv.com
>


_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST