[Users] An iproute2 problem

From: Whit Blauvelt (whit_at_transpect.com)
Date: Thu Aug 22 2002 - 03:02:55 CEST

• Next message: Cesar Otero Souto: "*****SPAM***** [Users] ipsec_setup: ipchains: Protocol not available"
• Previous message: Whit Blauvelt: "[Users] Arp Arp!"
• Next in thread: Whit Blauvelt: "[Users] Arp Arp!"
• Reply: Whit Blauvelt: "[Users] Arp Arp!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Pretty sure I have an iproute2 configuration at one end, but baffled about
it.

tcpdump shows that traffic goes across both ipsec0 interfaces if pinging
from one side, with only this possible error message on the interface closer
to the ping source:

19:38:08.811985 truncated-ip - 30 bytes missing!whit.transpect.com > 192.168.1.22: icmp: echo request (DF)

truncated-ip?

Anyhow the other gateway sees it fine as:

19:40:51.251059 192.168.9.1 > 192.168.1.22: icmp: echo request (DF)

Trying to ping from a machine behind the other side sends _nothing_ across
either ipsec0 interface - which would also explain why pings in the first
direction aren't returned.

The strange thing is both FreeS/WAN gateways are running the same kernel and
firewall (and firewall script) and iproute2 and FS versions, and the same
definition for this connection. The only significant difference on the end
that's not sending packets through is that it has two public interfaces. The
basic routing looks okay. The side that sends through has:

192.168.1.0/24 via 216.254.75.1 dev ipsec0

and the side that doesn't has:

192.168.9.0/24 via 65.84.205.97 dev ipsec0

which are both correct.

But it's probably about those two public interfaces. I'm using a
semi-complicated routing setup to split normal outbound traffic across
those. But even putting a rule ahead of that:

# ip ru
0: from all lookup local
50: from all lookup main
200: from 192.168.1.0/24 to 192.168.9.0/24 lookup LAN
201: from 65.84.205.96/27 lookup DSL
202: from 66.95.83.208/28 lookup NAS
222: from all lookup new
32766: from all lookup main
32767: from all lookup default

and having table LAN as:

default via 65.84.205.97 dev ipsec0
prohibit default

or as:

default via 65.84.205.97 dev ipsec0 proto static src 65.84.205.100
prohibit default

still doesn't produce any joy, and the split routing across the ethX
interfaces doesn't occur until table "new", which shouldn't even be looked
at here since table LAN has "prohibit default".

Ideas? I'll admit that iproute2 is a bit of a black art to me, especially in
this interaction with FS. Thanks,
Whit
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Cesar Otero Souto: "*****SPAM***** [Users] ipsec_setup: ipchains: Protocol not available"
• Previous message: Whit Blauvelt: "[Users] Arp Arp!"
• Next in thread: Whit Blauvelt: "[Users] Arp Arp!"
• Reply: Whit Blauvelt: "[Users] Arp Arp!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Aug 22 2002 - 23:20:17 CEST