RE: [Users] SSH sentinel interop problem

From: Mark Weaver (mark_at_npsl.co.uk)
Date: Fri Nov 08 2002 - 04:21:53 CET

• Next message: Jussi Torhonen: "Re: [Users] How critical is rp_filter kernel paramater setting?"
• Previous message: Ken Bantoft: "Re: [Users] Generally confused :-)"
• In reply to: Mark Weaver: "[Users] SSH sentinel interop problem"
• Next in thread: Mark Weaver: "RE: [Users] SSH sentinel interop problem (ip_send() failed, err=1)"
• Reply: Mark Weaver: "RE: [Users] SSH sentinel interop problem (ip_send() failed, err=1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On further fiddling it appears that the packets aren't leaving the freeswan
box. tcpdump shows the reply packets on ipsec1, but no ESP packets in the
appropriate directions on the underlying i/f (eth1).

Could this be something to do with the NAT? I've tried ipsec --klipsdebug
all, but nothing stood out in the output - anything in particular I should
look for?

Thanks,

Mark

> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Mark Weaver
> Sent: 07 November 2002 09:15
> To: Freeswan Users
> Subject: [Users] SSH sentinel interop problem
>
>
> I'm having a little trouble setting up SSH Sentinel + wireless lan +
> freeswan. Thus far I have a tunnel from my laptop (10.0.5.240) to the
> outside world via NAT (on the freeswan box, 10.0.5.1):
>
> conn %default
> type=tunnel
> pfs=yes
> keylife=2h
> keyingtries=0
> disablearrivalcheck=no
> authby=rsasig
> rightid="C=UK, ST=Cambridgeshire, L=Cambridge, O=NPSL,
> CN=stanley.npsl.co.uk, E=root_at_stanley.npsl.co.uk"
> rightrsasigkey=%cert
> right=%defaultroute
> rightsubnet=10.0.5.0/24
>
> # connection to flump
> conn flump
> leftid="C=UK, ST=Cambridgeshire, L=Cambridge, O=NPSL,
> CN=flump.npsl.co.uk"
> leftrsasigkey=%cert
> left=%any
> leftsubnet=
> right=10.0.5.1
> rightsubnet=0/0
> auto=add
>
> Diagram:
>
> 0/0 === public IP (dialup) / 10.0.5.1 ----- 10.0.5.240
> eth0/ipsec0 eth1/ipsec1
>
> This tunnel establishes OK. Following that, and trying ping 131.111.8.42
> (for example), I can see traffic flow over ipsec1, out on eth0 NAT'd, back
> in on eth0 and then back out on ipsec1 to 10.0.5.240. The trouble is that
> anything sent over the tunnel from 10.0.5.1 -> 10.0.5.240 appears to be
> dropped by SSH sentinel, traffic the other way works perfectly.
>
> Any advice as to how to find out where my packets are going would
> be greatly
> appreciated.
>
> Thanks,
>
> Mark
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Jussi Torhonen: "Re: [Users] How critical is rp_filter kernel paramater setting?"
• Previous message: Ken Bantoft: "Re: [Users] Generally confused :-)"
• In reply to: Mark Weaver: "[Users] SSH sentinel interop problem"
• Next in thread: Mark Weaver: "RE: [Users] SSH sentinel interop problem (ip_send() failed, err=1)"
• Reply: Mark Weaver: "RE: [Users] SSH sentinel interop problem (ip_send() failed, err=1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Nov 09 2002 - 05:20:36 CET