[Users] can't ping - last hope

From: noname45_at_gmx.de
Date: Sat Oct 26 2002 - 20:26:40 CEST

• Next message: Ken Bantoft: "[Users] ANNOUNCE: Super FreeS/WAN 1.98b_kb10"
• Previous message: noname45_at_gmx.de: "[Users] can't ping - last hope"
• Next in thread: Sam Sgro: "Re: [Users] can't ping - last hope"
• Reply: Sam Sgro: "Re: [Users] can't ping - last hope"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

this is my configuration:

SuSE 8.0 and windows 2000

using FreeS/WAN IPsec 2.00pre0 with X.509 on Linux, Marcus Mueller's windows
ipsec tool on windows machines

(E) Linux subnet 192.168.321.0
|
(D) Linux FreeSWAN X.509 Gateway + FW/NAT 201.102.218.X
|
(C) Linux machine 201.102.218.X
|
INTERNET
|
(A) Win2k/Linux Roadwarrior
|
INTERNET
|
NAT (SMC 7004 BR)
|
(B)Win2k subnet 192.168.123.0

(C) and (D) have the same net-address 28bit (different host)

I can establish an ipsec connection between (C) AND (D) and also ping the
subnet (C) <-> (E), the ping uses ipsec interfaces
on (C) and (D)

it's just fine !!!

problem:

any other machines can only establish a tunnel to (D), ping from Linux
roadwarrior to (E) with and without firewall/NAT, windows
with and without firewall/NAT not possible.

example:

ping (E) - (A)

ping request leaves (E)
enters (D) on internal interface eth1,
leaves external interface eth0 on (D) encrypted, not encrypted on ipsec0
reaches (A) on eth0 encrypted, on ipsec0, decrypted
reply leaves (A) on eth0 encrypted, on ipsec0 not encrypted
but can't see any reply on eth0 or ipsec0 (D), but a lot of arp traffic in
the 201.102.218.X subnet

!!! the ping could not reach the ipsec0 interface on the linux gateway, if
roadwarriors have different net-address than 201.102.218.0/28 !!!

IPTABLES ON IPSEC GATEWAY:

firewall @ (D) is shutdown, only the following IPTABLES are installed on the
linux FreeSWAN Gateway:

iptables -t nat -F # delete all IPTABLES
iptables -A POSTROUTING -t nat -s 201.102.218.70 -i ipsec0 -j SNAT --to
192.168.321.67
iptables -t nat -A POSTROUTING -o eth0 -d \! 192.168.222.0/24 -j MASQUERADE

THANKS for
your
help
!!!!!!!!!!!!!!!!

------------------------------------------------------------------------------

here are the logs:

connection (C) <-> (E), (B) <-> (E)

ipsec eroute on (D)

terminator0:~ # ipsec eroute
0 192.168.222.0/24 (E) -> 201.102.218.72/32 (C) => tun0x1002_at_201.102.218.72
(C) working
0 192.168.222.0/24 (E) -> 192.168.123.157/32 (A) =>
tun0x1004_at_217.228.223.184 (A) not working ***

-------------------------------------------------------------

1.
start ipsec connection (C) - (D) can ping subnet

2.
start ipsec connection (B) - (D) cannot ping subnet, no difference to linux
roadwarrior without firewall

/var/log/messages on (D)

1.
Oct 22 22:02:20 terminator0 ipsec_setup: Starting FreeS/WAN IPsec
2.00pre0...
Oct 22 22:02:20 terminator0 ipsec_setup: KLIPS debug `none'
Oct 22 22:02:20 terminator0 kernel: klips_debug:ipsec_sadb_cleanup: removing
all SArefFreeList entries from circulation.
Oct 22 22:02:20 terminator0 ipsec_setup: KLIPS ipsec0 on eth0
201.102.218.70/255.255.255.0 broadcast 201.102.218.255
Oct 22 22:02:20 terminator0 ipsec__plutorun: Starting Pluto subsystem...
Oct 22 22:02:20 terminator0 Pluto[3358]: Starting Pluto (FreeS/WAN Version
2.00pre0 X.509-1.0.1)
Oct 22 22:02:20 terminator0 Pluto[3358]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
Oct 22 22:02:20 terminator0 Pluto[3358]: | inserting event EVENT_SHUNT_SCAN,
timeout in 120 seconds
Oct 22 22:02:20 terminator0 ipsec_setup: ...FreeS/WAN IPsec started
Oct 22 22:02:20 terminator0 Pluto[3358]: Changing to directory
'/etc/ipsec.d/cacerts'
Oct 22 22:02:20 terminator0 Pluto[3358]: loaded cacert file 'cacert.pem'
(1716 bytes)
Oct 22 22:02:20 terminator0 Pluto[3358]: Changing to directory
'/etc/ipsec.d/crls'
Oct 22 22:02:20 terminator0 Pluto[3358]: loaded crl file 'crl.pem' (703
bytes)
Oct 22 22:02:20 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
120 seconds
Oct 22 22:02:20 terminator0 Pluto[3358]: |
Oct 22 22:02:20 terminator0 Pluto[3358]: | *received whack message
Oct 22 22:02:20 terminator0 Pluto[3358]: loaded host cert file
'/etc/ipsec.d/certs/serverCert.pem' (1769 bytes)
Oct 22 22:02:20 terminator0 Pluto[3358]: added connection description
"internal0"
Oct 22 22:02:20 terminator0 Pluto[3358]: |
201.102.218.70/32===201.102.218.70[C=DE, ST=Germania, L=XXXXXXXXX, O=***
**201.102.218.126...%any[C=DE, CN=internal0]
Oct 22 22:02:20 terminator0 Pluto[3358]: | ike_life: 3600s; ipsec_life:
3600s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Oct 22 22:02:20 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
120 seconds
Oct 22 22:02:20 terminator0 Pluto[3358]: |
Oct 22 22:02:20 terminator0 Pluto[3358]: | *received whack message
Oct 22 22:02:20 terminator0 Pluto[3358]: loaded host cert file
'/etc/ipsec.d/certs/serverCert.pem' (1769 bytes)
Oct 22 22:02:20 terminator0 Pluto[3358]: added connection description
"roadwarrior-windows-home"
Oct 22 22:02:20 terminator0 Pluto[3358]: |
192.168.123.157/32===217.228.223.184[C=DE,
CN=m700]...201.102.218.126---201.102.218.70[C=DE, ST=Germania, L=XXXXXXXXX,
O=***, ******************]===192.168.222.0/24
Oct 22 22:02:20 terminator0 Pluto[3358]: | ike_life: 3600s; ipsec_life:
3600s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Oct 22 22:02:20 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
120 seconds
Oct 22 22:02:20 terminator0 Pluto[3358]: |
Oct 22 22:02:20 terminator0 Pluto[3358]: | *received whack message
Oct 22 22:02:20 terminator0 Pluto[3358]: loaded host cert file
'/etc/ipsec.d/certs/serverCert.pem' (1769 bytes)
Oct 22 22:02:20 terminator0 Pluto[3358]: added connection description
"roadwarrior-linux-home"
Oct 22 22:02:20 terminator0 Pluto[3358]: |
192.168.222.0/24===201.102.218.70[C=DE, ST=Germania, L=XXXXXXXXX, O=***,
******************]---201.102.218.126...%any[C=DE, CN=m700]
Oct 22 22:02:20 terminator0 Pluto[3358]: | ike_life: 3600s; ipsec_life:
3600s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Oct 22 22:02:20 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
120 seconds
Oct 22 22:02:21 terminator0 Pluto[3358]: |
Oct 22 22:02:21 terminator0 Pluto[3358]: | *received whack message
Oct 22 22:02:21 terminator0 Pluto[3358]: loaded host cert file
'/etc/ipsec.d/certs/serverCert.pem' (1769 bytes)
Oct 22 22:02:21 terminator0 Pluto[3358]: added connection description
"roadwarrior-windows-any"
Oct 22 22:02:21 terminator0 Pluto[3358]: |
192.168.222.0/24===201.102.218.70[C=DE, ST=Germania, L=XXXXXXXXX, O=***,
******************]---201.102.218.126...%any
Oct 22 22:02:21 terminator0 Pluto[3358]: | ike_life: 3600s; ipsec_life:
3600s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Oct 22 22:02:21 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
119 seconds
Oct 22 22:02:21 terminator0 Pluto[3358]: |
Oct 22 22:02:21 terminator0 Pluto[3358]: | *received whack message
Oct 22 22:02:21 terminator0 Pluto[3358]: loaded host cert file
'/etc/ipsec.d/certs/serverCert.pem' (1769 bytes)
Oct 22 22:02:21 terminator0 Pluto[3358]: added connection description
"terminator2"
Oct 22 22:02:21 terminator0 Pluto[3358]: |
192.168.222.0/24===201.102.218.70[C=DE, ST=Germania, L=XXXXXXXXX, O=***,
******************]---201.102.218.126...%any[C=DE, CN=terminator2]
Oct 22 22:02:21 terminator0 Pluto[3358]: | ike_life: 3600s; ipsec_life:
3600s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS
Oct 22 22:02:21 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
119 secondsOct 22 22:02:21 terminator0

Pluto[3358]: |
Oct 22 22:02:21 terminator0 Pluto[3358]: | *received whack message
Oct 22 22:02:21 terminator0 Pluto[3358]: listening for IKE messages
Oct 22 22:02:21 terminator0 Pluto[3358]: | found lo with address 127.0.0.1
Oct 22 22:02:21 terminator0 Pluto[3358]: | found ipsec0 with address
201.102.218.70
Oct 22 22:02:21 terminator0 Pluto[3358]: | found eth0 with address
201.102.218.70
Oct 22 22:02:21 terminator0 Pluto[3358]: | found eth1 with address
192.168.321.67Oct 22 22:02:21 terminator0 Pluto[3358]: |

IP
interface eth1 192.168.321.67 has no matching ipsec* interface -- ignored
Oct 22 22:02:21 terminator0 Pluto[3358]: adding interface ipsec0/eth0
201.102.218.70Oct 22 22:02:21 terminator0 Pluto[3358]:

| IP
interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
Oct 22 22:02:21 terminator0 Pluto[3358]: | found lo with address
0000:0000:0000:0000:0000:0000:0000:0001
Oct 22 22:02:21 terminator0 Pluto[3358]: | IP interface lo ::1 has no
matching ipsec* interface -- ignored
Oct 22 22:02:21 terminator0 Pluto[3358]: loading secrets from
"/etc/ipsec.secrets"
Oct 22 22:02:21 terminator0 Pluto[3358]: loaded private key file
'/etc/ipsec.d/private/serverKey.pem' (1743 bytes)
Oct 22 22:02:21 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
119 seconds
Oct 22 22:02:29 terminator0 kernel: ipsec0: no IPv6 routers presentOct 22
22:02:29 terminator0 Pluto[3358]: |
Oct 22 22:02:29 terminator0 Pluto[3358]: | *received 176 bytes from
201.102.218.72:500 on eth0Oct 22 22:02:29 terminator0
Pluto[3358]: | instantiated "internal0" for 201.102.218.72
Oct 22 22:02:29 terminator0 Pluto[3358]: | creating state object #1 at
0x80b0018
Oct 22 22:02:29 terminator0 Pluto[3358]: | ICOOKIE: ad 05 27 44 9e f8 97 98
Oct 22 22:02:29 terminator0 Pluto[3358]: | RCOOKIE: 0c 76 5b 5f ec 25 8b 68
Oct 22 22:02:29 terminator0 Pluto[3358]: | peer: 8d 54 da 48
Oct 22 22:02:29 terminator0 Pluto[3358]: | state hash entry 31
Oct 22 22:02:29 terminator0 Pluto[3358]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #1Oct 22 22:02:29
terminator0 Pluto[3358]: "internal0"[1] 201.102.218.72 #1: responding to
Main Mode from unknown peer 201.102.218.72
Oct 22 22:02:29 terminator0 Pluto[3358]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1Oct 22 22:02:29
terminator0 Pluto[3358]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Oct 22 22:02:29 terminator0 Pluto[3358]: |
Oct 22 22:02:29 terminator0 Pluto[3358]: | *received 244 bytes from
201.102.218.72:500 on eth0
Oct 22 22:02:29 terminator0 Pluto[3358]: | ICOOKIE: 2d 65 75 44 9e f8 97 98
Oct 22 22:02:29 terminator0 Pluto[3358]: | RCOOKIE: 0c 23 5b 5f ec 25 8b 68
Oct 22 22:02:29 terminator0 Pluto[3358]: | peer: 8d 53 da 48
Oct 22 22:02:29 terminator0 Pluto[3358]: | state hash entry 31Oct 22
22:02:29 terminator0 Pluto[3358]: | state object #1

found, in
STATE_MAIN_R1
Oct 22 22:02:29 terminator0 Pluto[3358]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1Oct 22 22:02:29
terminator0 Pluto[3358]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Oct 22 22:02:30 terminator0 Pluto[3358]: |
Oct 22 22:02:30 terminator0 Pluto[3358]: | *received 1460 bytes from
201.102.218.72:500 on eth0
Oct 22 22:02:30 terminator0 Pluto[3358]: | ICOOKIE: ad 05 73 44 9e f3 97 98
Oct 22 22:02:30 terminator0 Pluto[3358]: | RCOOKIE: 0c 2b 5b 5f ec 35 8b 68
Oct 22 22:02:30 terminator0 Pluto[3358]: | peer: 8d 54 da 4b
Oct 22 22:02:30 terminator0 Pluto[3358]: | state hash entry 31
Oct 22 22:02:30 terminator0 Pluto[3358]: | state object #1 found, in
STATE_MAIN_R2
Oct 22 22:02:30 terminator0 Pluto[3358]: "internal0"[1] 201.102.218.72 #1:
Peer ID is ID_DER_ASN1_DN: 'C=DE, CN=terminator2'
Oct 22 22:02:30 terminator0 Pluto[3358]: | switched from "internal0" to
"terminator2"
Oct 22 22:02:30 terminator0 Pluto[3358]: | instantiated "terminator2" for
201.102.218.72
Oct 22 22:02:30 terminator0 Pluto[3358]: "terminator2"[1] 201.102.218.72 #1:
deleting connection "internal0" instance with

peer
201.102.218.72
Oct 22 22:02:30 terminator0 Pluto[3358]: | an RSA Sig check passed with
*AwEAAawdP [preloaded key]
Oct 22 22:02:30 terminator0 Pluto[3358]: | signing hash with RSA Key
*AwEAAbHlS
Oct 22 22:02:30 terminator0 Pluto[3358]: | inserting event EVENT_SA_REPLACE,
timeout in 3330 seconds for #1
Oct 22 22:02:30 terminator0 Pluto[3358]: "terminator2"[1] 201.102.218.72 #1:
sent MR3, ISAKMP SA established
Oct 22 22:02:30 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
110 seconds
Oct 22 22:02:30 terminator0 Pluto[3358]: |
Oct 22 22:02:30 terminator0 Pluto[3358]: | *received 380 bytes from
201.102.218.72:500 on eth0
Oct 22 22:02:30 terminator0 Pluto[3358]: | ICOOKIE: ad 05 7b 44 9e f8 97 98
Oct 22 22:02:30 terminator0 Pluto[3358]: | RCOOKIE: 0c 2b 5b 5f ec 25 8b 68
Oct 22 22:02:30 terminator0 Pluto[3358]: | peer: 8d 54 da 32
Oct 22 22:02:30 terminator0 Pluto[3358]: | state hash entry 30
Oct 22 22:02:30 terminator0 Pluto[3358]: | state object not found
Oct 22 22:02:30 terminator0 Pluto[3358]: | ICOOKIE: ad 05 77 44 9e f8 57 98
Oct 22 22:02:30 terminator0 Pluto[3358]: | RCOOKIE: 0c 23 5b 5f ec 25 8b 28
Oct 22 22:02:30 terminator0 Pluto[3358]: | peer: 8d 54 da 48
Oct 22 22:02:30 terminator0 Pluto[3358]: | state hash entry 31
Oct 22 22:02:30 terminator0 Pluto[3358]: | state object #1 found, in
STATE_MAIN_R3
Oct 22 22:02:30 terminator0 Pluto[3358]: | peer client is subnet
201.102.218.72/32
Oct 22 22:02:30 terminator0 Pluto[3358]: | our client is subnet
192.168.222.0/24
Oct 22 22:02:30 terminator0 Pluto[3358]: | duplicating state object #1
Oct 22 22:02:30 terminator0 Pluto[3358]: | creating state object #2 at
0x80b09d0
Oct 22 22:02:30 terminator0 Pluto[3358]: | ICOOKIE: ad 05 77 44 9e f8 97 27
Oct 22 22:02:30 terminator0 Pluto[3358]: | RCOOKIE: 0c 23 5b 5f ec 25 8b 68
Oct 22 22:02:30 terminator0 Pluto[3358]: | peer: 8d 54 da 48
Oct 22 22:02:30 terminator0 Pluto[3358]: | state hash entry 31
Oct 22 22:02:30 terminator0 Pluto[3358]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #2
Oct 22 22:02:30 terminator0 Pluto[3358]: | generate SPI: 30 07 6e c1
Oct 22 22:02:30 terminator0 Pluto[3358]: "terminator2"[1] 201.102.218.72 #2:
responding to Quick Mode
Oct 22 22:02:30 terminator0 Pluto[3358]: | route owner of "terminator2"[1]
201.102.218.72 unrouted: NULL; eroute owner: NULL
Oct 22 22:02:30 terminator0 Pluto[3358]: | add inbound eroute
201.102.218.72/32 -> 192.168.222.0/24 =>

tun.1001_at_201.102.218.70
Oct 22 22:02:30 terminator0 Pluto[3358]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Oct 22 22:02:30 terminator0 Pluto[3358]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Oct 22 22:02:31 terminator0 Pluto[3358]: |
Oct 22 22:02:31 terminator0 Pluto[3358]: | *received 52 bytes from
201.102.218.72:500 on eth0
Oct 22 22:02:31 terminator0 Pluto[3358]: | ICOOKIE: ad 05 77 44 9e f8 97 98
Oct 22 22:02:31 terminator0 Pluto[3358]: | RCOOKIE: 0c 23 5b 5f ec 25 8b 68
Oct 22 22:02:31 terminator0 Pluto[3358]: | peer: 8d 54 da 48
Oct 22 22:02:31 terminator0 Pluto[3358]: | state hash entry 31
Oct 22 22:02:31 terminator0 Pluto[3358]: | state object #2 found, in
STATE_QUICK_R1
Oct 22 22:02:31 terminator0 Pluto[3358]: | route owner of "terminator2"[1]
201.102.218.72 unrouted: NULL; eroute owner: NULL
Oct 22 22:02:31 terminator0 Pluto[3358]: | route owner of "terminator2"[1]
201.102.218.72 unrouted: NULL; eroute owner: NULL
Oct 22 22:02:31 terminator0 Pluto[3358]: | add eroute 192.168.222.0/24 ->
201.102.218.72/32 => tun.1002_at_201.102.218.72Oct 22
22:02:31 terminator0 Pluto[3358]: | executing up-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-client'
PLUTO_CONNECTION='terminator2' PLUTO_NEXT_HOP='201.102.218.126'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='201.102.218.70'
PLUTO_MY_ID='C=DE, ST=Germania, L=XXXXXXXXX, O=***, ******************'
PLUTO_MY_CLIENT='192.168.222.0/24'
PLUTO_MY_CLIENT_NET='192.168.222.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='201.102.218.72' PLUTO_PEER_ID='C=DE, CN=terminator2'
PLUTO_PEER_CLIENT='201.102.218.72/32'
PLUTO_PEER_CLIENT_NET='201.102.218.72'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0'
ipsec _updownOct 22 22:02:31 terminator0 Pluto[3358]: | executing
prepare-client: 2>&1 PLUTO_VERSION='1.1'
PLUTO_VERB='prepare-client' PLUTO_CONNECTION='terminator2'
PLUTO_NEXT_HOP='201.102.218.126' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='201.102.218.70' PLUTO_MY_ID='C=DE, ST=Germania, L=XXXXXXXXX,
O=***, ******************'
PLUTO_MY_CLIENT='192.168.222.0/24' PLUTO_MY_CLIENT_NET='192.168.222.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='201.102.218.72'
PLUTO_PEER_ID='C=DE, CN=terminator2'
PLUTO_PEER_CLIENT='201.102.218.72/32' PLUTO_PEER_CLIENT_NET='201.102.218.72'
PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' ipsec _updownOct 22 22:02:31
terminator0 Pluto[3358]: | executing route-client:
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client'
PLUTO_CONNECTION='terminator2' PLUTO_NEXT_HOP='201.102.218.126'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='201.102.218.70' PLUTO_MY_ID='C=DE,
ST=Germania, L=XXXXXXXXX, O=***, ******************'
PLUTO_MY_CLIENT='192.168.222.0/24' PLUTO_MY_CLIENT_NET='192.168.222.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='201.102.218.72'
PLUTO_PEER_ID='C=DE, CN=terminator2'
PLUTO_PEER_CLIENT='201.102.218.72/32' PLUTO_PEER_CLIENT_NET='201.102.218.72'
PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' ipsec _updown
Oct 22 22:02:31 terminator0 Pluto[3358]: | inserting event EVENT_SA_REPLACE,
timeout in 3330 seconds for #2
Oct 22 22:02:31 terminator0 Pluto[3358]: "terminator2"[1] 201.102.218.72 #2:
IPsec SA established

2.

Oct 22 22:02:31 terminator0 Pluto[3358]: | next event EVENT_SHUNT_SCAN in
109 seconds
Oct 22 22:02:56 terminator0 Pluto[3358]: |
Oct 22 22:02:56 terminator0 Pluto[3358]: | *received 216 bytes from
217.228.223.184:500 on eth0Oct 22 22:02:56 terminator0
Pluto[3358]: packet from 217.228.223.184:500: received Vendor ID Payload;
ASCII hash: \036+Qi\005\031\034}|\026|?5\007da
Oct 22 22:02:56 terminator0 Pluto[3358]: | creating state object #3 at
0x80b07e8
Oct 22 22:02:56 terminator0 Pluto[3358]: | ICOOKIE: 76 25 28 80 b9 e3 c3 97
Oct 22 22:02:56 terminator0 Pluto[3358]: | RCOOKIE: 89 eb d9 b6 0c e4 6f 44
Oct 22 22:02:56 terminator0 Pluto[3358]: | peer: d9 e4 df b8
Oct 22 22:02:56 terminator0 Pluto[3358]: | state hash entry 0
Oct 22 22:02:56 terminator0 Pluto[3358]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #3
Oct 22 22:02:56 terminator0 Pluto[3358]: "roadwarrior-windows-home" #3:
responding to Main Mode
Oct 22 22:02:56 terminator0 Pluto[3358]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #3
Oct 22 22:02:56 terminator0 Pluto[3358]: | next event EVENT_RETRANSMIT in 10
seconds for #3
Oct 22 22:02:56 terminator0 Pluto[3358]: |
Oct 22 22:02:56 terminator0 Pluto[3358]: | *received 184 bytes from
217.228.223.184:500 on eth0
Oct 22 22:02:56 terminator0 Pluto[3358]: | ICOOKIE: 76 25 28 80 b9 e3 c3 97
Oct 22 22:02:56 terminator0 Pluto[3358]: | RCOOKIE: 89 eb d9 b6 0c e4 6f 44
Oct 22 22:02:56 terminator0 Pluto[3358]: | peer: d9 e4 df b8Oct 22 22:02:56
terminator0 Pluto[3358]: | state hash entry 0Oct

22
22:02:56 terminator0 Pluto[3358]: | state object #3 found, in
STATE_MAIN_R1Oct 22 22:02:56 terminator0 Pluto[3358]: |

inserting
event EVENT_RETRANSMIT, timeout in 10 seconds for #3Oct 22 22:02:56
terminator0 Pluto[3358]: | next event EVENT_RETRANSMIT

in
10 seconds for #3Oct 22 22:02:57 terminator0 Pluto[3358]: |
ct 22 22:02:57 terminator0 Pluto[3358]: | *received 1612 bytes from
217.228.223.184:500 on eth0Oct 22 22:02:57 terminator0
Pluto[3358]: | ICOOKIE: 76 25 28 80 b9 e3 c3 97Oct 22 22:02:57 terminator0
Pluto[3358]: | RCOOKIE: 89 eb d9 b6 0c e4 6f
44Oct 22 22:02:57 terminator0 Pluto[3358]: | peer: d9 e4 df b8Oct 22
22:02:57 terminator0 Pluto[3358]: | state hash entry

0Oct 22
22:02:57 terminator0 Pluto[3358]: | state object #3 found, in STATE_MAIN_R2
Oct 22 22:02:57 terminator0 Pluto[3358]: "roadwarrior-windows-home" #3: Peer
ID is ID_DER_ASN1_DN: 'C=DE, CN=m700'Oct 22
22:02:57 terminator0 Pluto[3358]: | an RSA Sig check passed with *AwEAAc0gT
[preloaded key]Oct 22 22:02:57 terminator0
Pluto[3358]: | signing hash with RSA Key *AwEAAbHlSOct 22 22:02:57
terminator0 Pluto[3358]: | inserting event

EVENT_SA_REPLACE,
timeout in 3330 seconds for #3Oct 22 22:02:57 terminator0 Pluto[3358]:
"roadwarrior-windows-home" #3: sent MR3, ISAKMP SA
establishedOct 22 22:02:57 terminator0 Pluto[3358]: | next event
EVENT_SHUNT_SCAN in 83 seconds
Oct 22 22:02:57 terminator0 Pluto[3358]: |
Oct 22 22:02:57 terminator0 Pluto[3358]: | *received 308 bytes from
217.228.223.184:500 on eth0
Oct 22 22:02:57 terminator0 Pluto[3358]: | ICOOKIE: 76 25 28 80 b9 e3 c3 97
Oct 22 22:02:57 terminator0 Pluto[3358]: | RCOOKIE: 89 eb d9 b6 0c e4 6f 44
Oct 22 22:02:57 terminator0 Pluto[3358]: | peer: d9 e4 df b8
Oct 22 22:02:57 terminator0 Pluto[3358]: | state hash entry 0Oct 22 22:02:57
terminator0 Pluto[3358]: | state object not

found
Oct 22 22:02:57 terminator0 Pluto[3358]: | ICOOKIE: 76 25 28 80 b9 e3 c3 97
Oct 22 22:02:57 terminator0 Pluto[3358]: | RCOOKIE: 89 eb d9 b6 0c e4 6f 44
Oct 22 22:02:57 terminator0 Pluto[3358]: | peer: d9 e4 df b8
Oct 22 22:02:57 terminator0 Pluto[3358]: | state hash entry 0
Oct 22 22:02:57 terminator0 Pluto[3358]: | state object #3 found, in
STATE_MAIN_R3
Oct 22 22:02:57 terminator0 Pluto[3358]: | peer client is 192.168.123.157/32
Oct 22 22:02:57 terminator0 Pluto[3358]: | our client is subnet
192.168.222.0/24
Oct 22 22:02:57 terminator0 Pluto[3358]: | duplicating state object #3
Oct 22 22:02:57 terminator0 Pluto[3358]: | creating state object #4 at
0x80b2388
Oct 22 22:02:57 terminator0 Pluto[3358]: | ICOOKIE: 76 25 28 80 b9 e3 c3 97
Oct 22 22:02:57 terminator0 Pluto[3358]: | RCOOKIE: 89 eb d9 b6 0c e4 6f 44
Oct 22 22:02:57 terminator0 Pluto[3358]: | peer: d9 e4 df b8
Oct 22 22:02:57 terminator0 Pluto[3358]: | state hash entry 0
Oct 22 22:02:57 terminator0 Pluto[3358]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #4
Oct 22 22:02:57 terminator0 Pluto[3358]: | generate SPI: 30 07 6e c2
Oct 22 22:02:57 terminator0 Pluto[3358]: "roadwarrior-windows-home" #4:
responding to Quick Mode
Oct 22 22:02:57 terminator0 Pluto[3358]: | route owner of
"roadwarrior-windows-home" unrouted: NULL
Oct 22 22:02:57 terminator0 Pluto[3358]: | route owner of
"roadwarrior-windows-home" unrouted: NULL; eroute owner: NULL
Oct 22 22:02:57 terminator0 Pluto[3358]: | add inbound eroute
192.168.123.157/32 -> 192.168.222.0/24 =>

tun.1003_at_201.102.218.70
Oct 22 22:02:57 terminator0 Pluto[3358]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #4
Oct 22 22:02:57 terminator0 Pluto[3358]: | next event EVENT_RETRANSMIT in 10
seconds for #4
Oct 22 22:02:57 terminator0 Pluto[3358]: |
Oct 22 22:02:57 terminator0 Pluto[3358]: | *received 52 bytes from
217.228.223.184:500 on eth0
Oct 22 22:02:57 terminator0 Pluto[3358]: | ICOOKIE: 76 25 28 80 b9 e3 c3 97
Oct 22 22:02:57 terminator0 Pluto[3358]: | RCOOKIE: 89 eb d9 b6 0c e4 6f 44
Oct 22 22:02:57 terminator0 Pluto[3358]: | peer: d9 e4 df b8
Oct 22 22:02:57 terminator0 Pluto[3358]: | state hash entry 0
Oct 22 22:02:57 terminator0 Pluto[3358]: | state object #4 found, in
STATE_QUICK_R1
Oct 22 22:02:57 terminator0 Pluto[3358]: | route owner of
"roadwarrior-windows-home" unrouted: NULL; eroute owner: NULL
Oct 22 22:02:57 terminator0 Pluto[3358]: | route owner of
"roadwarrior-windows-home" unrouted: NULL; eroute owner: NULL
Oct 22 22:02:57 terminator0 Pluto[3358]: | add eroute 192.168.222.0/24 ->
192.168.123.157/32 => tun.1004_at_217.228.223.184Oct

22
22:02:57 terminator0 Pluto[3358]: | executing up-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-client'
PLUTO_CONNECTION='roadwarrior-windows-home' PLUTO_NEXT_HOP='201.102.218.126'
PLUTO_INTERFACE='ipsec0'
PLUTO_ME='201.102.218.70' PLUTO_MY_ID='C=DE, ST=Germania, L=XXXXXXXXX,
O=***, ******************'
PLUTO_MY_CLIENT='192.168.222.0/24' PLUTO_MY_CLIENT_NET='192.168.222.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='217.228.223.184'
PLUTO_PEER_ID='C=DE, CN=m700'
PLUTO_PEER_CLIENT='192.168.123.157/32'
PLUTO_PEER_CLIENT_NET='192.168.123.157'
PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' ipsec _updownOct 22 22:02:57
terminator0 Pluto[3358]: | executing

prepare-client:
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client'
PLUTO_CONNECTION='roadwarrior-windows-home'
PLUTO_NEXT_HOP='201.102.218.126' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='201.102.218.70' PLUTO_MY_ID='C=DE, ST=Germania,
L=XXXXXXXXX, O=***, ******************' PLUTO_MY_CLIENT='192.168.222.0/24'
PLUTO_MY_CLIENT_NET='192.168.222.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='217.228.223.184'
PLUTO_PEER_ID='C=DE, CN=m700' PLUTO_PEER_CLIENT='192.168.123.157/32'
PLUTO_PEER_CLIENT_NET='192.168.123.157'
PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' ipsec _updownOct 22 22:02:57

terminator0
Pluto[3358]: | executing route-client: 2>&1 PLUTO_VERSION='1.1'
PLUTO_VERB='route-client'
PLUTO_CONNECTION='roadwarrior-windows-home' PLUTO_NEXT_HOP='201.102.218.126'
PLUTO_INTERFACE='ipsec0'
PLUTO_ME='201.102.218.70' PLUTO_MY_ID='C=DE, ST=Germania, L=XXXXXXXXX,
O=***, ******************'
PLUTO_MY_CLIENT='192.168.222.0/24' PLUTO_MY_CLIENT_NET='192.168.222.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='217.228.223.184'
PLUTO_PEER_ID='C=DE, CN=m700'
PLUTO_PEER_CLIENT='192.168.123.157/32'
PLUTO_PEER_CLIENT_NET='192.168.123.157'
PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' ipsec _updown
Oct 22 22:02:57 terminator0 Pluto[3358]: | inserting event EVENT_SA_REPLACE,
timeout in 3330 seconds for #4
Oct 22 22:02:57 terminator0 Pluto[3358]: "roadwarrior-windows-home" #4:
IPsec SA established

there aren't any errors in the /var/log/messages log
files
on
(A),(B),(C),(D)

------------------------------------------------------------------------------------------

ipsec.conf (D):

config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
forwardcontrol=yes
interfaces=%defaultroute
#interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=control
# Use auto= parameters in conn descriptions to control startup
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes

conn %default
keylife=1h
keyingtries=0
authby=rsasig
compress=yes
disablearrivalcheck=no
leftrsasigkey=%cert
rightrsasigkey=%cert
rightcert=serverCert.pem
right=%defaultroute
rightid="C=DE, ST=Germania, L=XXXXXXXXX, O=......................."

conn internal0
rightsubnet=201.102.218.70/32
#left=201.102.218.70
#leftnexthop=%defaultroute
left=%any
#leftsubnet=192.168.321.8/32
leftid="C=DE, CN=internal0"
pfs=yes
auto=add

conn terminator2
#rightsubnet=201.102.70/32
rightsubnet=192.168.222.0/24
#leftnexthop=%defaultroute
left=%any
#leftsubnet=201.102.218.72/32
leftid="C=DE, CN=terminator2"
pfs=yes
auto=add

conn roadwarrior-windows-home
rightsubnet=192.168.222.0/24
left=XXXXXXX.net
leftsubnet=192.168.123.157/32
#leftfirewall=yes
leftid="C=DE, CN=m700"
#leftcert=m700Cert.pem
pfs=yes
auto=add

conn roadwarrior-linux-home
rightsubnet=192.168.222.0/24
#left=XXXXXX.net
left=%any
#leftsubnet=192.168.123.0/24
#leftsubnet=192.168.123.157/32
#leftfirewall=yes
#leftnexthop=212.185.252.201
leftid="C=DE, CN=m700"
#leftcert=m700Cert.pem
pfs=yes
auto=add

conn roadwarrior-windows-any
#leftsubnet=0/0
#rightsubnet=192.168.222.0/24
rightsubnet=192.168.222.0/24
#rightsubnet=201.102.218.70/32
#rightsubnet=192.168.222.0/24
#rightnexthop=201.102.218.126
#rightfirewall=yes
left=%any
#leftsubnet=192.168.6.0/26
#leftfirewall=yes
#leftnexthop=129.187.254.23
#leftsubnet=129.187.
#leftid="C=DE, CN=m700"
#leftcert=m700Cert.pem
pfs=yes
auto=add

----------------------------------------------------

ipsec.conf on (C)

config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
forwardcontrol=yes
interfaces=%defaultroute
#interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes

conn terminator2-terminator0
keylife=1h
keyingtries=0
authby=rsasig
left=%defaultroute
leftcert=clientCert.pem
leftid="C=DE, CN=terminator2"
#leftrsasigkey=%cert
right=201.102.218.70
#rightsubnet=201.102.218.70/32
rightsubnet=192.168.222.0/24
#rightnexthop=201.102.218.126
rightrsasigkey=%cert
rightid="C=DE, ST=Germania, L=XXXXXXXXX, ****************
N=terminator0.xxxxxxxxxxxxxxxxxxxx/Email=abc_at_abc.com"
pfs=yes
auto=start

-----------------------------------------------------------

ipsec.conf on (B)

conn roadwarrior-windows-home
left=%any
#leftsubnet=192.168.123.0/24
right=201.102.218.70
rightsubnet=192.168.222.0/24
#rightrsasigkey=%cert
rightca="C=DE, S=Germania, L=XXXXXXXXX, ****************N=XXXXXXXXXXXXXXXX,
E=abc_at_abc.com"
network=auto
auto=start
pfs=yes

conn roadwarrior-windows-any
left=%any
right=201.102.218.70
rightsubnet=192.168.222.0/24
#rightrsasigkey=%cert
rightca="C=DE, S=Germania, L=XXXXXXXXX, ****************N=XXXXXXXXXXXXXXXX,
E=abc_at_abc.com"
network=auto
auto=start
pfs=yes

--------------------------------------------------------------

ping (B) <-> (E)

windows 2000 output:

C:\Programme\VPN>ping 192.168.321.8

Ping wird ausgeführt für 192.168.321.8 mit 32 Bytes Daten:

IP-Sicherheit wird verhandelt.
IP-Sicherheit wird verhandelt.
IP-Sicherheit wird verhandelt.
IP-Sicherheit wird verhandelt.

Ping-Statistik für 192.168.321.8:
Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms

C:\Programme\VPN>ping 192.168.321.8

Ping wird ausgeführt für 192.168.321.8 mit 32 Bytes Daten:

Request time out.
Request time out.
Request time out.
Request time out..

Ping-Statistik für 192.168.321.8:
Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4 (100% Verlust),
Ca. Zeitangaben in Millisek.:
Min

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "[Users] ANNOUNCE: Super FreeS/WAN 1.98b_kb10"
• Previous message: noname45_at_gmx.de: "[Users] can't ping - last hope"
• Next in thread: Sam Sgro: "Re: [Users] can't ping - last hope"
• Reply: Sam Sgro: "Re: [Users] can't ping - last hope"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Oct 30 2002 - 05:20:34 CET