[Users] No data is sent over ipsec0

From: Manfred Dohmen (manfred.dohmen_at_hahm.biz)
Date: Thu Oct 31 2002 - 14:47:35 CET

Hello.

I´ve got a little problem :) I´m working with Freeswan 1.95 + X.509 patch.
With this setup I try to set up a connection between two dialup-hosts that
connect to the internet via dsl.

When the connection is established, obviously no data goes through the
tunnel.

The first one (my server-side) connects via ppp and has the following setup:

dummy0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
          inet addr:194.122.120.252 Bcast:194.122.120.255
Mask:255.255.255.255
          inet6 addr: fe80::200:ff:fe00:0/10 Scope:Link
          UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b) TX bytes:210 (210.0 b)

eth0 Link encap:Ethernet HWaddr 00:02:B3:23:FD:37
          inet addr:194.122.120.252 Bcast:194.122.120.255
Mask:255.255.255.128
          inet6 addr: fe80::202:b3ff:fe23:fd37/10 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:3992943 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4541508 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1073622659 (1023.8 Mb) TX bytes:126305224 (120.4 Mb)
          Interrupt:11 Base address:0x4000

eth0:1 Link encap:Ethernet HWaddr 00:02:B3:23:FD:37
          inet addr:10.42.236.252 Bcast:10.255.255.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:11 Base address:0x4000

eth1 Link encap:Ethernet HWaddr 00:20:AF:BE:87:94
          inet addr:10.10.10.10 Bcast:10.255.255.255 Mask:255.255.255.0
          inet6 addr: fe80::220:afff:febe:8794/10 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:4086021 errors:264 dropped:0 overruns:4 frame:264
          TX packets:3805048 errors:0 dropped:0 overruns:0 carrier:0
          collisions:598 txqueuelen:100
          RX bytes:3005007793 (2865.7 Mb) TX bytes:550871776 (525.3 Mb)
          Interrupt:10 Base address:0x300

ipsec0 Link encap:IPIP Tunnel HWaddr
          inet addr:80.141.151.70 Mask:255.255.255.255
          UP RUNNING NOARP MTU:16260 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:7 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:6231254 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6231254 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2868416784 (2735.5 Mb) TX bytes:2868416784 (2735.5 Mb)

ppp0 Link encap:Point-to-Point Protocol
          inet addr:80.141.151.70 P-t-P:217.5.98.145 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
          RX packets:88599 errors:0 dropped:0 overruns:0 frame:0
          TX packets:89717 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:64131009 (61.1 Mb) TX bytes:9775587 (9.3 Mb)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
194.122.120.252 0.0.0.0 255.255.255.255 UH 1 0 0
dummy0
217.5.98.145 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
217.5.98.145 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
194.122.120.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
194.122.120.0 194.122.120.131 255.255.255.128 UG 0 0 0 eth0
172.17.30.0 217.5.98.145 255.255.255.0 UG 0 0 0
ipsec0
10.42.236.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.42.0.0 10.42.236.1 255.255.0.0 UG 0 0 0 eth0
0.0.0.0 217.5.98.145 0.0.0.0 UG 0 0 0 ppp0

/etc/ipsec.conf:

config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=ppp0"
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dns
        rightrsasigkey=%dns

conn office
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=vpn.mydomain
        leftid="[...]"
        leftsubnet=10.42.236.0/24
        leftnexthop=217.5.98.145
        right=%any
        rightsubnet=172.17.30.0/24
        auto=add

When I do a tcpdump -i ipsec0 on this side and try to ping 172.17.30.128 I
see the following:
14:17:46.152840 80.141.151.70 > 172.17.30.128: icmp: echo request (DF)
14:17:47.167312 80.141.151.70 > 172.17.30.128: icmp: echo request (DF)
14:17:48.167348 80.141.151.70 > 172.17.30.128: icmp: echo request (DF)

The second host which is connected to a SMC-Barricade router has the
following setup:

eth0 Link encap:Ethernet HWaddr 00:E0:7D:A2:AA:48
          inet addr:192.168.123.128 Bcast:192.168.123.255
Mask:255.255.255.0
          inet6 addr: fe80::2e0:7dff:fea2:aa48/10 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:11776631 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12951310 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1973823416 (1882.3 Mb) TX bytes:3330681888 (3176.3 Mb)
          Interrupt:11 Base address:0xa000

eth0:0 Link encap:Ethernet HWaddr 00:E0:7D:A2:AA:48
          inet addr:172.17.30.128 Bcast:172.17.255.255 Mask:255.255.255.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
          Interrupt:11 Base address:0xa000

ipsec0 Link encap:IPIP Tunnel HWaddr
          inet addr:192.168.123.128 Mask:255.255.255.0
          UP RUNNING NOARP MTU:16260 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:63 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:371650 errors:0 dropped:0 overruns:0 frame:0
          TX packets:371650 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:79646540 (75.9 Mb) TX bytes:79646540 (75.9 Mb)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
172.17.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.42.236.0 192.168.123.254 255.255.255.0 UG 0 0 0
ipsec0
192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
0.0.0.0 192.168.123.254 0.0.0.0 UG 0 0 0 eth0

192.168.123.254 is the ip of my SMC-Barricade.

/etc/ipsec.conf

config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dns
        rightrsasigkey=%dns

conn office
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        leftsubnet=172.17.30.0/24
        leftid="[...]"
        right=vpn.mydomain
        rightid="[...]"
        rightsubnet=10.42.236.0/24
        auto=start

When I do a tcpdump -i ipsec0 on this and ping 10.42.236.252 I get the
following:
14:24:29.053960 unknown ip 0
14:24:30.070069 unknown ip 0
14:24:34.270908 unknown ip 0

This is the log from the "server-side":

OOct 31 14:10:37 host1 Pluto[18217]: "office" 80.133.134.177 #1: responding
to Main Mode from unknown peer 80.133.134.177
Oct 31 14:10:37 host1 Pluto[18217]: "office" 80.133.134.177 #1: Peer ID is
ID_DER_ASN1_DN: '[...]'
Oct 31 14:10:37 host1 Pluto[18217]: "office" 80.133.134.177 #1: Next CRL
update was expected on Oct 24 12:14:17 UTC 2002
Oct 31 14:10:37 host1 Pluto[18217]: "office" 80.133.134.177 #1: Next CRL
update was expected on Oct 24 12:14:17 UTC 2002
Oct 31 14:10:37 host1 Pluto[18217]: "office" 80.133.134.177 #1: deleting
connection "office" instance with peer 80.133.134.177
Oct 31 14:10:37 host1 Pluto[18217]: "office" 80.133.134.177 #1: sent MR3,
ISAKMP SA established
Oct 31 14:10:37 host1 Pluto[18217]: "office" 80.133.134.177 #2: responding
to Quick Mode
Oct 31 14:10:38 host1 Pluto[18217]: "office" 80.133.134.177 #2: IPsec SA
established

I spent a couple of hours in this today but don´t see any light :/

Thanks in advance
Manfred

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 05:20:36 CET