RE: [Users] IPSec link established, but can not ping

• Next message: Andreas Steffen: "Re: [Users] RSASIG error"
• Previous message: Teemu Torma: "Re: [Users] private ip -> ipsec conn -> ipsec(freeswan) & nat -> internet"
• Maybe in reply to: David Correa: "[Users] IPSec link established, but can not ping"
• Next in thread: Ad Koster: "RE: [Users] IPSec link established, but can not ping"
• Reply: Ad Koster: "RE: [Users] IPSec link established, but can not ping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If your iptables policy is to drop unless explicitly allowed, you might be
blocking icmp.

-----Original Message-----
From: David Correa [mailto:tech_at_linux-tech.com]
Sent: Saturday, April 27, 2002 10:44 PM
To: users_at_lists.freeswan.org
Subject: [Users] IPSec link established, but can not ping

Hi,

Im stuck because it looks like it the ipsec connection is
established yet I can not ping from side to side
using the ipsec link. This is the data:

1. Both sides show the icmp: echo request (DF) but not the reply.
   Routing seems ok, since I can see icmp: echo request sent from
   the hosts in the local networks (leftsubnet/rightsubnet) with
   tcpdump -i ipsec0
2. Both kernels are 2.4.18 with freeswan-1.97, iptables/nat

----------------------------------------------------------------
      ipsec.conf
---------------------------------------------------------------
config setup
 interfaces="ipsec0=eth1"
 klipsdebug=none
 plutodebug=none
 plutoload=%search
 plutostart=%search
 uniqueids=yes

conn lago-to-onix
 left=66.xx.xx.xx
 leftsubnet=10.10.10.0/24
 leftrsasigkey=0sAQmtQhQY7jx1J0MutfoUD7u4B74add89GMv7IqPJ......
 right=66.xx.xx.yy
 rightsubnet=192.168.10.0/24
 rightrsasigkey=0sAQOP9WfT8LuYxyz737v2RZDeMwb6SvjzVJT+x......
 authby=rsasig
 auto=start

----------------------------------------------------------------
Right side log=>
----------------------------------------------------------------
Apr 27 18:28:22 sol ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Apr 27 18:28:23 sol kernel: klips_info:ipsec_init: KLIPS startup,
       FreeS/WAN IPSec version: 1.97
Apr 27 18:28:23 sol ipsec_setup: KLIPS debug `none'
Apr 27 18:28:24 sol ipsec_setup: KLIPS ipsec0 on eth1
       66.123.yy.yy/255.255.255.248 broadcast 66.123.yy.yz
Apr 27 18:28:25 sol ipsec_setup: ipchains: Protocol not available
Apr 27 18:28:25 sol ipsec_setup: ...FreeS/WAN IPsec started
Apr 27 18:28:28 sol ipsec__plutorun: 104 "lago-to-onix" #1: STATE_MAIN_I1:
       initiate
Apr 27 18:28:28 sol ipsec__plutorun: 106 "lago-to-onix" #1: STATE_MAIN_I2:
       sent MI2, expecting MR2
Apr 27 18:28:28 sol ipsec__plutorun: 108 "lago-to-onix" #1: STATE_MAIN_I3:
       sent MI3, expecting MR3
Apr 27 18:28:28 sol ipsec__plutorun: 004 "lago-to-onix" #1: STATE_MAIN_I4:
       ISAKMP SA established
Apr 27 18:28:28 sol ipsec__plutorun: 112 "lago-to-onix" #2:
       STATE_QUICK_I1: initiate
Apr 27 18:28:28 sol ipsec__plutorun: 004 "lago-to-onix" #2:
       STATE_QUICK_I2: sent QI2, IPsec SA established

-----------------------------------------------------------------
Left side log =>
----------------------------------------------------------------
Apr 27 18:01:28 onix ipsec_setup: ...FreeS/WAN IPsec stopped
Apr 27 18:01:29 onix ipsec_setup: Starting FreeS/WAN IPsec 1.95...
Apr 27 18:01:29 onix ipsec_setup: KLIPS debug `none'
Apr 27 18:01:29 onix ipsec_setup: KLIPS ipsec0 on eth1
    66.123.zz.zz/255.255.255.248 broadcast 66.123.zz.yz
Apr 27 18:01:29 onix ipsec_setup: ...FreeS/WAN IPsec started
Apr 27 18:01:40 onix ipsec__plutorun: 104 "lago-to-onix" #1:
    STATE_MAIN_I1: initiate
Apr 27 18:01:40 onix ipsec__plutorun: 010 "lago-to-onix" #1:
STATE_MAIN_I1: retransmission; will wait 20s for
    response
Apr 27 18:01:40 onix ipsec__plutorun: 106 "lago-to-onix" #1:
    STATE_MAIN_I2: sent MI2, expecting MR2
Apr 27 18:01:40 onix ipsec__plutorun: 108 "lago-to-onix" #1:
    STATE_MAIN_I3: sent MI3, expecting MR3
Apr 27 18:01:40 onix ipsec__plutorun: 004 "lago-to-onix" #1:
    STATE_MAIN_I4: ISAKMP SA established
Apr 27 18:01:40 onix ipsec__plutorun: 112 "lago-to-onix" #4:
    STATE_QUICK_I1: initiate
Apr 27 18:01:40 onix ipsec__plutorun: 004 "lago-to-onix" #4:
   STATE_QUICK_I2: sent QI2, IPsec SA established
---------------------------------------------------------------

---------------------------------------------------------------
iptables rules for ipsec
-----------------------------------------------------------
# Allow IKE negotiations
/sbin/iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

# Allow ESP encrypton and authentication (Protocol 50)
/sbin/iptables -A INPUT -p 50 -j ACCEPT
/sbin/iptables -A OUTPUT -p 50 -j ACCEPT

# Allow AH authentication header (Protocol 51)
/sbin/iptables -A INPUT -p 51 -j ACCEPT
/sbin/iptables -A OUTPUT -p 51 -j ACCEPT
-------------------------------------------------------------

Thanks in advance for the help.

David Correa
Public Key http://www.linux-tech.com/linuxtech.asc
Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andreas Steffen: "Re: [Users] RSASIG error"
• Previous message: Teemu Torma: "Re: [Users] private ip -> ipsec conn -> ipsec(freeswan) & nat -> internet"
• Maybe in reply to: David Correa: "[Users] IPSec link established, but can not ping"
• Next in thread: Ad Koster: "RE: [Users] IPSec link established, but can not ping"
• Reply: Ad Koster: "RE: [Users] IPSec link established, but can not ping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST