On Wed, 2002-07-17 at 16:20, Thomas Klettke wrote:
> On Tue, 2002-07-16 at 19:03, Sam Sgro wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> >
> > On 17 Jul 2002, Thomas Klettke wrote:
> >
> > > When pinging any machine (including 192.168.2.1) on the 192.168.2.0/24
> > > subnet, I get the same "Negotiating IP Security" behavior, but then no
> > > packets come back "Request timed out"
> > > ngrep shows initially packets on eth1 and ipsec0 (during negotiation),
> > > after the negotiation is complete there are no more packets at all
> > > showing up.
> > > I'm running
> > > ngrep -d ipsec0 dst a.b.c.e or src a.b.c.e
> > > and
> > > ngrep -d eth1 dst a.b.c.e or src a.b.c.e
> > >
> > > I'm also logging all packets from and to a.b.c.e through iptables before
> > > doing anything else to them, no packets here either during this test.
> > >
> > > The W2k client connects successfully to a friend's gateway, and machines
> > > on the 192.168.1.0 subnet behind it. Therefore I believe that the
> > > problem is not with the client but with my gateway.
> >
> >
> > I would like to see what FreeS/WAN is reporting during the negotiation
> > attempt, as well as more details from the machine itself; seeing the output
> > of the "ipsec barf" command would be very useful. However, since you've got
> > both klips and plutodebug set to "all", I would recommend you clear your
> > logs, try to connect to the subnet from the laptop, and then examine the output.
> >
> > (Use the output to quickly verify that rp_filter is set to 0 for the external
> > and ipsec interfaces and that ip_forward is set to "1". Given your description
> > of the problem, I believe they both will be correct, but it never hurts to
> > check those details quickly.)
>
> Sam,
> thanks for your response, I've been chewing on this for the last two
> weeks now.
>
> I cleared the logs, restarted ipsec on both machines, then pinged the
> outside interface (eth1 IP a.b.c.d) of my gateway from the Win2k client
> (IP a.b.c.e), then I pinged first 192.168.2.1 on the internal network,
> and furthermore 192.168.2.10 - no replies in both cases, though a tunnel
> appeared to be initiated.
> Then I "barfed" ipsec, please see the attached tarball, containing the
> output from barf and the relevant part of /var/log/messages.
>
> Thanks for taking time to help me with this.
>
> Thomas
>
Add-on:
I've done some more experiments today with this:
-Instead of the Windows client I used a Redhat /freeswan client - works
with the same gateway, including pinging the NATed 192.168.2.x
addresses!
-uninstalled Microsoft ipsecpol , deleted all policies, deleted
vpn.ebootis.de tools, rebooted Win2000, installed everything again -
same results as previously: can ping gateway's public interface through
ipsec, no replies on NATed subnet, although I can still connect to my
friend's 192.168.1.0/24 NATed subnet through his freeswan gateway (as
mentioned above)
-to rule out ANY errors on my Win2000 machine caused by previous
configurations, I installed Win2000 from scratch on a new machine (incl.
SP2 and high encryption pack) - the results are identical
-my next thought: perhaps there is something on my router that doesn't
like Win2000 packets on its ipsec interface, so I build a new router,
RH7.3, stock kernel 2.4.18-5, freeswan and kernel modules from RPMs
==> the results are absolutely identical, with both Win2000 clients
I am running out of ideas, can't figure out why my freeswan gateway will
route packets that come from another Redhat/FreeSWAN machine, but not
those coming from a Win2000 machine - despite that it establishes a
tunnel to the Win2000 machine.
Hopefully someone with more insight than I have can help.
Thanks,
Thomas
>
>
>
>
>
> >
> >
> > Sam Sgro
> > sam_at_freeswan.org
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.3ia
> > Charset: noconv
> > Comment: For the matching public key, finger the Reply-To: address.
> >
> > iQCVAwUBPTS0O0OSC4btEQUtAQFDQQP8CQeCGTyetWjiRYQcq9xdSAUbqkpFBlfr
> > bQMQVtrqThc2QJTF6ktfkEyyIDIZ9KwLy3QMpAGXDsQ2vnYNKm0L1gYBoY5Bj3PF
> > OTR4eb0TTtY7MDRhhHkOeWl1eVnT7TYMLuqe1IS78fp5D2wow7Uj3ZtGZ4GLFplO
> > BROaGQhsjlE=
> > =4/ZE
> > -----END PGP SIGNATURE-----
> >
>
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:24 CEST