[Users] Where are all the packets gone

From: Georg Ragaz (georg_at_ragaz.net)
Date: Mon Dec 23 2002 - 16:06:36 CET

I have successfully set up a connection to two different subnets with
Freeswan IPSEC and RSA with dynamic IP Addresses on either ends. Now I
wanted to add a Road Warrior to my setup and it is giving me lots of
problems.

I have been trying the Safenet Client as well as the SSH-Sentinel. Both show
the same behaviour, leading me to the conclusion that there is a routing
problem in the first place. With both clients I can establish an IPSEC
connection, however when it comes to pinging or using the tunnel for
transferring data, nothing works.

The SECURE log looks like this:
Dec 23 16:08:39 venus pluto[1475]: "road-warrior"[1] 62.203.73.107 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Dec 23 16:08:39 venus pluto[1475]: "road-warrior"[1] 62.203.73.107 #1: Peer
ID is ID_IPV4_ADDR: '62.203.73.107'
Dec 23 16:08:39 venus pluto[1475]: "road-warrior"[1] 62.203.73.107 #1: sent
MR3, ISAKMP SA established
Dec 23 16:08:39 venus pluto[1475]: "road-warrior"[1] 62.203.73.107 #2:
responding to Quick Mode
Dec 23 16:08:40 venus pluto[1475]: "road-warrior"[1] 62.203.73.107 #2: IPsec
SA established

As you can see the connection is established.

Now when it comes to pinging from Network A to RoadWarrior you get the
following picture:

TCPDUMP the PPP0 Interface:

16:27:18.969967 > 62.203.15.81 > 62.203.73.107: ip-proto-50 116
16:27:19.067306 < 62.203.73.107 > 62.203.15.81: ip-proto-50 116
16:27:19.969636 > 62.203.15.81 > 62.203.73.107: ip-proto-50 116
16:27:20.067815 < 62.203.73.107 > 62.203.15.81: ip-proto-50 116

So IPSEC Proto 50 packets get sent through the PPP0 Interface (PPPOE ADSL)
AND come back, meaning the RoadWarrior is responding.

When it comes to the tcpdump the ipsec0 interface I get the following:

16:27:32.969382 > 10.234.207.20 > 62.203.73.107: icmp: echo request
16:27:33.969306 > 10.234.207.20 > 62.203.73.107: icmp: echo request
16:27:34.969268 > 10.234.207.20 > 62.203.73.107: icmp: echo request

This shows that the packets don't get back to the IPSEC0 Interface but get
lost somewhere between the ppp0 Interface and the ipsec0 interface. Now this
could be an ipchains issue, however why does the very same setup work with
two other IPSEC peers and packets come back properly to the ipsec0 Interface
for those?

The routing table looks like this: (The routes to the two functioning
subnets are not activated in this printout).

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
62.203.8.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
62.203.8.1 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
62.203.73.107 62.203.8.1 255.255.255.255 UGH 0 0 0
ipsec0
10.234.207.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 62.203.8.1 0.0.0.0 UG 0 0 0 ppp0

Any help on this would be appreciated.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Tue Dec 24 2002 - 05:21:27 CET