Re: [Users] Can ping gateway but not subnet

From: Sam Sgro (sam_at_freeswan.org)
Date: Tue Nov 05 2002 - 20:21:32 CET

• Next message: Andreas Steffen: "Re: [Users] Aggressive Mode and dynamic IP"
• Previous message: Matthias Gorjup: "[Users] Aggressive Mode and dynamic IP"
• In reply to: stuart: "[Users] Can ping gateway but not subnet"
• Next in thread: stuart: "Re[2]: [Users] Can ping gateway but not subnet"
• Reply: stuart: "Re[2]: [Users] Can ping gateway but not subnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 5 Nov 2002, stuart wrote:

> much fiddling I am successfully able to ping my gateway's public IP
> from the Roadwarrior. I can see the encrypted packets coming in on eth0 and then being
> de/recrypted on ipsec0 and then back out of eth0 to my Roadwarrior.
> However when I ping a subnet IP 192.168.0.x (including the gateways
> internal IP on eth1 )from my Roadwarrior I see
> the packets coming in on eth0 on my Gateway and then being dropped
> (presumably) because they never get to ipsec0. The docs tell me this
> is because my firewall (iptables) is dropping the packets but I have looked at
> every firewall doc on the planet and can not see anything wrong with
> my rules (although of course that doesn't mean they are right!). The
> result being the pings timeout on the Roadwarrior. I have been looking
> at this for some time and can not seem to make any progress.

Your barf appears fine; in theory, you should be able to successfully ping the
FS gateway.

On further reflection, your situation looks familiar. When a Win2k Roadwarrior
is on the same subnet as the FreeS/WAN gateway, it get a bit confused as to
where it's sending its ipsec packets.

The real culprit was not found with a "plain" tcpdump examination of the
public interface: it only displays IP addresses, and the packets looked as if
they had the proper source and destination IP addresses. Not all was well at
the Data Link layer, however. When the MAC addresses on the packet were
examined (using the "-e" argument to tcpdump) the packets were addressed to
the subnet's gateway, *not* to the FS box. Thus, the FS box (correctly)
ignored these mislabelled packets.

Altering the routing entries on the win2k box did the trick; take a look at
this message:

http://lists.freeswan.org/pipermail/users/2002-July/012628.html

You can also use tethereal to examine the packets for MAC addresses. It did
look a lot like firewalling for a while, because KLIPS never acknowledged the
packets; that's usually a sign of firewall problems.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPcgaPkOSC4btEQUtAQH4DQP/ZQe7CKX8snf3CP0Nsuf0VtCZXomb9mnF
z6qCzQhot3cr5DAKFtERlQFQLSfKhuheU3trnnTN7y+SKdOoQLhhmsyrq/+AMKOp
Kwk8poRTi2rG586/hLwWg7fZwRkhreohLqN3gf+fNaxQzRTYNL+ZqHp8I/HMqgDE
NZTwDjWWyTM=
=dwju
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andreas Steffen: "Re: [Users] Aggressive Mode and dynamic IP"
• Previous message: Matthias Gorjup: "[Users] Aggressive Mode and dynamic IP"
• In reply to: stuart: "[Users] Can ping gateway but not subnet"
• Next in thread: stuart: "Re[2]: [Users] Can ping gateway but not subnet"
• Reply: stuart: "Re[2]: [Users] Can ping gateway but not subnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Nov 07 2002 - 05:20:39 CET