Re: [Users] Pings go out ipsec0, replies on ppp0 only?

From: Sam Sgro (sam_at_freeswan.org)
Date: Thu Oct 03 2002 - 08:26:32 CEST

• Next message: Sam Sgro: "Re: [Users] MTU problem with FreeSWAN tunnels"
• Previous message: by way of Oleksandr Darchuk: "Re: [Users] Is this even possible?"
• In reply to: Winston L. Sorfleet: "[Users] Pings go out ipsec0, replies on ppp0 only?"
• Next in thread: Winston L. Sorfleet: "Re: [Users] Pings go out ipsec0, replies on ppp0 only?"
• Reply: Winston L. Sorfleet: "Re: [Users] Pings go out ipsec0, replies on ppp0 only?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 2 Oct 2002, Winston L. Sorfleet wrote:

> I've setup my leftnexthop on my home/local system to be the other
> side of the point-to-point interface. Negotiation proceeds OK and
> routes are built (so things seem, but are they?). I send a ping out
> to the remote system, and I see it go out on ipsec0. On the remote,
> I see the ping come in on ipsec0, and the reply goes back on ipsec0.
> On the local system, I see protocol 50 traffic incoming "ping replies"
> on ppp0 (I assume it's the ping reply, because I use a specific count
> and there is no other traffic).

Actually, what's happening is this: on your local system, your clear traffic
towards the remote system is directed to ipsec0 via the routing table. At
this stage, the data is processed, encrypted, and retransmitted them over the
public interface proper as ESP (protocol 50) traffic. Ditto for the remote
system's replies.

- From what I can make of your log excerpts, it looks as if decrypted traffic is
not making its way to ipsec0, but it appears to me as if you are using
iptables rules to log this traffic. I highly recommend using tcpdump/tethereal
to monitor the interfaces directly. No need to muck about with logging, and
you get a very clear picture of where packet transmission is failing.

If it is the case that encrypted traffic is arriving on ppp0 but not being
decrypted, check if ipsec is processing the packets at all. Turn up some
of the debugging options temporarily - specifically, set "klipsdebug=all" in
ipsec.conf, but turn it back to none before your log files overflow. You
should see a reaction when the ping replies arrive, if they've been "injected"
into the ipsec machinery. If not, perhaps they are being dropped - iptables
rules? Have you ensured that rp_filter is turned off for your public and
ipsecN interfaces?

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPZvjGkOSC4btEQUtAQGVuAP/Wzf7ImtML7He2AYfAcrRZVKWJPcn6oT0
V+6/Jpv0St2ZgvyMDgfctisgauZIjC7OjhN3428IW/9DjsbcWhDIxFK7IPhWHZi8
SHphYhSsFr5M0XwhY3g5MWjojL2rtYjKl8hkhWsngXn2PpzXq8GiOk8tCOilwlmL
aaUo49Bl7sg=
=xo8Z
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sam Sgro: "Re: [Users] MTU problem with FreeSWAN tunnels"
• Previous message: by way of Oleksandr Darchuk: "Re: [Users] Is this even possible?"
• In reply to: Winston L. Sorfleet: "[Users] Pings go out ipsec0, replies on ppp0 only?"
• Next in thread: Winston L. Sorfleet: "Re: [Users] Pings go out ipsec0, replies on ppp0 only?"
• Reply: Winston L. Sorfleet: "Re: [Users] Pings go out ipsec0, replies on ppp0 only?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Oct 04 2002 - 05:20:19 CEST