[Users] Tunnel established, can't ping subnet-subnet, and packet not encrypted? Help pls.

From: lito kusnadi (litomail_at_yahoo.com)
Date: Wed Oct 09 2002 - 01:32:11 CEST

Hi. I have a very confusing problem. I managed to
install freeswan from source code within a test
environment with:
-Mandrake 8.2,kernel 2.4.18-6mdk
-Gmp 4.1
After the install is successful, I tried to set up a
tunnel. 2 Pc as VPN gateway, both have 2 NICs.
I named the gateway: left and right.

The "left" vpn gateway has the NIC: 192.168.0.100
(direct connection to "right" vpn gateway) and
10.10.10.100 (to connect to left subnet).

The "right" vpn gateway has the NIC: 192.168.0.200
(direct conn to "left" vpn gateway) and 10.0.0.200 (to
connect to right subnet).

Before IPSec service is started "left" can ping
10.0.0.200, and "right" can ping 10.10.10.100.

After IPSec service is started they still can do the
above.

When the "left-right" connection is UP, they won't do
the above, BUT "left" can ping 192.168.0.200, and
"right" can ping 192.168.0.100.

MORE INTERESTING, when I use tcpdump on "left" over
192.168.0.100, the ping is
still in ICMP packet, not ESP (although IPSec is
running).

In summary, my ipsec.conf for the connection
definition is:
conn left-right
        left=192.168.0.100
        leftsubnet=10.10.10.0/24
        leftnexthop=192.168.0.200
        leftid=@left.vpn.test
        right=192.168.0.200
        rightsubnet=10.0.0.0/24
        rightnexthop=192.168.0.100
        rightid=@right.vpn.test
        authby=rsasig
        auto=add
        leftrsasigkey=[keyid AQOT+6P9H]
        rightrsasigkey=[keyid AQPiGQ8qP]

and the "ipsec look" output is:
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
0 10.10.10.0/24 -> 10.0.0.0/24 =>
tun0x1002_at_192.168.0.200
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags
 MSS Window irtt Iface
10.0.0.0 192.168.0.200 255.255.255.0 UG
  40 0 0 ipsec0
192.168.0.0 0.0.0.0 255.255.255.0 U
  40 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U
  40 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U
  40 0 0 ipsec0
10.10.10.0 0.0.0.0 255.255.255.0 U
  40 0 0 eth1
10.10.10.0 0.0.0.0 255.255.255.0 U
  40 0 0 ipsec1
127.0.0.0 0.0.0.0 255.0.0.0 U
  40 0 0 lo
0.0.0.0 192.168.0.200 0.0.0.0 UG
  40 0 0 eth0

here's the IKE:
+ ipsec auto --status
000 interface ipsec0/eth0 192.168.0.100
000 interface ipsec1/eth1 10.10.10.100
000
000 "left-right":
10.10.10.0/24===192.168.0.100[@left.vpn.test]...192.168.0.200[@right.vpn.test]===10.0.0.0/24
000 "left-right": ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0
000 "left-right": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
interface: eth0; erouted
000 "left-right": newest ISAKMP SA: #1; newest IPsec
SA: #2; eroute owner: #2
000
000 #2: "left-right" STATE_QUICK_I2 (sent QI2, IPsec
SA established); EVENT_SA_REPLACE in 27665s; newest
IPSEC; eroute owner
000 #2: "left-right" esp.d084e08_at_192.168.0.200
esp.1185859c_at_192.168.0.100 tun.1002_at_192.168.0.200
tun.1001_at_192.168.0.100
000 #1: "left-right" STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 2753s; newest ISAKMP
000

Thank you for your help.

__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Thu Oct 10 2002 - 05:20:24 CEST