IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] A little confused

From: Charles Mauch (xterminus_at_myrealbox.com)
Date: Thu Jul 18 2002 - 00:46:50 CEST

On Tue, Jul 16, 2002 at 07:43:39PM -0700, Stephen J Bevan mumbled:

> Klips is clearly dropping the packet because it doesn't think it has
> an SA for the packet it is receiving. We need to see what you do have
> setup. A barf contains that and more, but you could start by
> including the output of :-
>
> $ ipsec spi
> $ ipsec eroute
> $ ipsec spigrp
> $ route -n
>
> which is considerably shorter than a barf. Also have a look at
> /var/log/messages and /var/log/secure and see if you see anything that
> looks like an error message.

I was able to figure this out (I think). It looks like the firewall was
dropping packets that didn't already have an entry in the state table.

But it seems that I've got new problems! (aahhhh!)

I'm able to establish a link, and *usually*, I can start a ping that will
traverse the tunnel and find it's way back. But after a couple of seconds,
the pings stop and all traffic that was previously flowing over the tunnel
comes screeching to a halt.

In my auth.log (looking at pluto's debug now). It executes a couple of
scripts, up-host, prepare-host, and route-host.

When it hits the route-host script, the following is generated:

Jul 17 13:36:12 superunit pluto[6805]: | executing route-host: 2>&1 PLUTO_VERSIO N='1.1' PLUTO_VERB='route-host' PLUTO_CONNECTION='superunit-terminus' PLUTO_NEXT _HOP='168.156.242.177' PLUTO_INTERFACE='ipsec0' PLUTO_ME='12.229.136.40' PLUTO_M Y_CLIENT='12.229.136.40/32' PLUTO_MY_CLIENT_NET='12.229.136.40' PLUTO_MY_CLIENT_ MASK='255.255.255.255' PLUTO_PEER='168.156.242.177' PLUTO_PEER_CLIENT='168.156.2 42.177/32' PLUTO_PEER_CLIENT_NET='168.156.242.177' PLUTO_PEER_CLIENT_MASK='255.2 55.255.255' ipsec _updown
Jul 17 13:36:12 superunit pluto[6805]: "superunit-terminus"[1] 168.156.242.177 # 4: route-host output: SIOCADDRT: Network is unreachable
Jul 17 13:36:12 superunit pluto[6805]: "superunit-terminus"[1] 168.156.242.177 # 4: route-host output: /usr/local/lib/ipsec/_updown: `route add -net 168.156.242.177 netmask 255.255.255.255 dev ipsec0 gw 168.156.242.177' failed
Jul 17 13:36:12 superunit pluto[6805]: "superunit-terminus"[1] 168.156.242.177 # 4: route-host output: /usr/local/lib/ipsec/_updown: (incorrect or missing nexthop setting??)
Jul 17 13:36:12 superunit pluto[6805]: "superunit-terminus"[1] 168.156.242.177 #4: route-host command exited with status 7
Jul 17 13:36:12 superunit pluto[6805]: | executing down-host: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-host' PLUTO_CONNECTION='superunit-termi nus' PLUTO_NEXT_HOP='168.156.242.177' PLUTO_INTERFACE='ipsec0' PLUTO_ME='12.229.136.40' PLUTO_MY_CLIENT='12.229.136.40/32' PLUTO_MY_CLIENT_NET= '12.229.136.40' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_PEER='168.156.242.177' PLUTO_PEER_CLIENT='168.156.242.177/32' PLUTO_PEER_CLIENT_NE T='168.156.242.177' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Jul 17 13:36:12 superunit pluto[6805]: | delete eroute 12.229.136.40/32 -> 168.156.242.177/32 => tun.1007_at_168.156.242.177

Maybe I'm daffy, but shouldn't a route to a host look something like route
add -host instead of route add -net?

Also, I noticed that from my server, i can ping the laptop, and visa-versa,
but traceroutes are dropped in front of the laptop. Might this have
something to do with the problem?

Ideas?

And thanks for all the help so far. I'm learning loads ;)

Take it easy,
        Charles <xterminus_at_myrealbox.com>

Please encrypt personal email with GnuGP.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:24 CEST