On Tue, Jul 16, 2002 at 10:52:27AM -0700, Stephen J Bevan mumbled:
> Charles Mauch writes:
> > I'm trying to setup an ipsec tunnel from my laptop (linux) to my server at
> > home (linux). I was able to configure freeswan and get a tunnel up and
> > running between the two, but actually communicating with my server or with
> > any of the clients behind it through that tunnel is something of a problem.
> > [snip]
> > I log all dropped packets on the server, and I don't see anything being
> > dropped by the firewall, so I'm assuming it's a routing or reverse-nat
> > problem.
>
> You describe a tcpdump on your laptop but what about a tcpdump on the
> server? Do you see a ping from the server appearing on the external
> interface, ipsec interface and internal interface? If so, what about
> the reply? If possible, include the tcpdump output for all three
> interfaces while a ping from your laptop to a protected machine is in
> progress.
I'll try and generate a dump on all the interfaces tommorow when I'm again
on the other side of the server. I have simplied the problem somewhat (I
think). Here is the problem: with a little more detail this time (and
re-written).
Summary: klip seems to be dropping inbound ipsec packets.
"gateway" (left) - also acting as firewall to internal network
FreeS/WAN 1.98b (unmodified)
Debian Linux (woody), Kernel 2.4.18
External Interface = 12.229.136.40 (mask 255.255.252.0) (eth0)
Default GW = 12.229.136.1
"roadwarrior" - (right) laptop
FreeSWAN 1.98b (unmodified)
Debian Linux (woody), Kernel 2.4.18
External Interface = dhcp assigned (eth0)
Default GW = dhcp assigned (eth0)
tunnel (right now) is pretty simplistic
(gateway) --- internet --- (laptop)
No Nat translation going on, laptop and gateway can ping one
another without ipsec tunnel in place.
Problem Details/Description:
When tunnel comes up, I can't reach the gateway from my client. I
assume the ipsec tunnel is operating correctly as both sides see a
ipsec session, and authenticate. If neccesary, I can drop back to
manual authentication, but it seems to negotiating a session okay
with auto.
On the roadwarrior machine (laptop): pings to the server are sent
out over ipsec0. tcpdump confirms icmp messages being sent out.
But with no reply.
On the gateway (server): a tcpdump of ipsec0 shows zilch - no traffic
at all seems to be reaching the 'tunnel' interface. eth0 shows incoming
ipsec traffic. There are some interesting error messages generated
when I turn klipdebugging on. ifconfig also shows dropped packets on
the interface.
Error Messages:
With klipdebug=all, I noticed... (on the gateway)
Jul 16 09:54:59 superunit kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:136
id:54461 frag_off:0 ttl:52 proto:50 chk:33682 saddr:168.156.240.74 daddr:12.229
.136.40
Jul 16 09:54:59 superunit kernel: klips_debug:gettdb: linked entry in tdb table
for hash=102 of SA:esp0x716790ed_at_12.229.136.40 requested.
Jul 16 09:54:59 superunit kernel: klips_debug:gettdb: no entries in tdb table fo
r hash=102 of SA:esp0x716790ed_at_12.229.136.40.
Jul 16 09:54:59 superunit kernel: klips_debug:ipsec_rcv: no Tunnel Descriptor Bl
ock for SA:esp0x716790ed_at_12.229.136.40: incoming packet with no SA dropped
ifconfig ipsec0 (on the gateway)
ipsec0 Link encap:Ethernet HWaddr 00:10:4B:C8:BD:59
inet addr:12.229.136.40 Mask:255.255.252.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:10 errors:0 dropped:10 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
If that isn't enough information, I can also provide barf's from both
clients, but I figured since they're so large, I'd post them as a last
resort.
Thanks for your time...
Charles Mauch <xterminus_at_myrealbox.com>
Please encrypt personal email with GnuGP.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:23 CEST