On Mon, 2002-05-06 at 22:06, Jared Priddy wrote:
> If your iptables policy is to drop unless explicitly allowed, you might be
> blocking icmp.
>
> -----Original Message-----
> From: David Correa [mailto:tech_at_linux-tech.com]
> Sent: Saturday, April 27, 2002 10:44 PM
> To: users_at_lists.freeswan.org
> Subject: [Users] IPSec link established, but can not ping
>
>
> Hi,
>
> Im stuck because it looks like it the ipsec connection is
> established yet I can not ping from side to side
> using the ipsec link. This is the data:
>
> 1. Both sides show the icmp: echo request (DF) but not the reply.
> Routing seems ok, since I can see icmp: echo request sent from
> the hosts in the local networks (leftsubnet/rightsubnet) with
> tcpdump -i ipsec0
> 2. Both kernels are 2.4.18 with freeswan-1.97, iptables/nat
>
> ----------------------------------------------------------------
> ipsec.conf
> ---------------------------------------------------------------
> config setup
> interfaces="ipsec0=eth1"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
> conn lago-to-onix
> left=66.xx.xx.xx
> leftsubnet=10.10.10.0/24
> leftrsasigkey=0sAQmtQhQY7jx1J0MutfoUD7u4B74add89GMv7IqPJ......
> right=66.xx.xx.yy
> rightsubnet=192.168.10.0/24
> rightrsasigkey=0sAQOP9WfT8LuYxyz737v2RZDeMwb6SvjzVJT+x......
> authby=rsasig
> auto=start
>
> ----------------------------------------------------------------
> Right side log=>
> ----------------------------------------------------------------
> Apr 27 18:28:22 sol ipsec_setup: Starting FreeS/WAN IPsec 1.97...
> Apr 27 18:28:23 sol kernel: klips_info:ipsec_init: KLIPS startup,
> FreeS/WAN IPSec version: 1.97
> Apr 27 18:28:23 sol ipsec_setup: KLIPS debug `none'
> Apr 27 18:28:24 sol ipsec_setup: KLIPS ipsec0 on eth1
> 66.123.yy.yy/255.255.255.248 broadcast 66.123.yy.yz
> Apr 27 18:28:25 sol ipsec_setup: ipchains: Protocol not available
> Apr 27 18:28:25 sol ipsec_setup: ...FreeS/WAN IPsec started
> Apr 27 18:28:28 sol ipsec__plutorun: 104 "lago-to-onix" #1: STATE_MAIN_I1:
> initiate
> Apr 27 18:28:28 sol ipsec__plutorun: 106 "lago-to-onix" #1: STATE_MAIN_I2:
> sent MI2, expecting MR2
> Apr 27 18:28:28 sol ipsec__plutorun: 108 "lago-to-onix" #1: STATE_MAIN_I3:
> sent MI3, expecting MR3
> Apr 27 18:28:28 sol ipsec__plutorun: 004 "lago-to-onix" #1: STATE_MAIN_I4:
> ISAKMP SA established
> Apr 27 18:28:28 sol ipsec__plutorun: 112 "lago-to-onix" #2:
> STATE_QUICK_I1: initiate
> Apr 27 18:28:28 sol ipsec__plutorun: 004 "lago-to-onix" #2:
> STATE_QUICK_I2: sent QI2, IPsec SA established
>
> -----------------------------------------------------------------
> Left side log =>
> ----------------------------------------------------------------
> Apr 27 18:01:28 onix ipsec_setup: ...FreeS/WAN IPsec stopped
> Apr 27 18:01:29 onix ipsec_setup: Starting FreeS/WAN IPsec 1.95...
> Apr 27 18:01:29 onix ipsec_setup: KLIPS debug `none'
> Apr 27 18:01:29 onix ipsec_setup: KLIPS ipsec0 on eth1
> 66.123.zz.zz/255.255.255.248 broadcast 66.123.zz.yz
> Apr 27 18:01:29 onix ipsec_setup: ...FreeS/WAN IPsec started
> Apr 27 18:01:40 onix ipsec__plutorun: 104 "lago-to-onix" #1:
> STATE_MAIN_I1: initiate
> Apr 27 18:01:40 onix ipsec__plutorun: 010 "lago-to-onix" #1:
> STATE_MAIN_I1: retransmission; will wait 20s for
> response
> Apr 27 18:01:40 onix ipsec__plutorun: 106 "lago-to-onix" #1:
> STATE_MAIN_I2: sent MI2, expecting MR2
> Apr 27 18:01:40 onix ipsec__plutorun: 108 "lago-to-onix" #1:
> STATE_MAIN_I3: sent MI3, expecting MR3
> Apr 27 18:01:40 onix ipsec__plutorun: 004 "lago-to-onix" #1:
> STATE_MAIN_I4: ISAKMP SA established
> Apr 27 18:01:40 onix ipsec__plutorun: 112 "lago-to-onix" #4:
> STATE_QUICK_I1: initiate
> Apr 27 18:01:40 onix ipsec__plutorun: 004 "lago-to-onix" #4:
> STATE_QUICK_I2: sent QI2, IPsec SA established
> ---------------------------------------------------------------
>
> ---------------------------------------------------------------
> iptables rules for ipsec
> -----------------------------------------------------------
> # Allow IKE negotiations
> /sbin/iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>
> # Allow ESP encrypton and authentication (Protocol 50)
> /sbin/iptables -A INPUT -p 50 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 50 -j ACCEPT
>
> # Allow AH authentication header (Protocol 51)
> /sbin/iptables -A INPUT -p 51 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 51 -j ACCEPT
> -------------------------------------------------------------
>
> Thanks in advance for the help.
>
> David Correa
> Public Key http://www.linux-tech.com/linuxtech.asc
> Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
Did you already tried:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
You could add these lines to your firewall script.
Ad Koster
lidad_at_zeelandnet.nl
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST