From: Enrique Sanchez Vela (esanchezvela_at_yahoo.com)
Date: Mon Dec 23 2002 - 19:49:22 CET
Hi Georg,
are you sure you are not masquerading packets to the
comming out ipsec0 into ppp0?
I would sugest you to post your config files for both
freeswan and ipchains, just take care of domain names
and public static ip addresses.
regards,
esv.
--- Georg Ragaz <georg_at_ragaz.net> wrote:
> I have successfully set up a connection to two
> different subnets with
> Freeswan IPSEC and RSA with dynamic IP Addresses on
> either ends. Now I
> wanted to add a Road Warrior to my setup and it is
> giving me lots of
> problems.
>
> I have been trying the Safenet Client as well as the
> SSH-Sentinel. Both show
> the same behaviour, leading me to the conclusion
> that there is a routing
> problem in the first place. With both clients I can
> establish an IPSEC
> connection, however when it comes to pinging or
> using the tunnel for
> transferring data, nothing works.
>
> The SECURE log looks like this:
> Dec 23 16:08:39 venus pluto[1475]: "road-warrior"[1]
> 62.203.73.107 #1:
> ignoring informational payload, type
> IPSEC_INITIAL_CONTACT
> Dec 23 16:08:39 venus pluto[1475]: "road-warrior"[1]
> 62.203.73.107 #1: Peer
> ID is ID_IPV4_ADDR: '62.203.73.107'
> Dec 23 16:08:39 venus pluto[1475]: "road-warrior"[1]
> 62.203.73.107 #1: sent
> MR3, ISAKMP SA established
> Dec 23 16:08:39 venus pluto[1475]: "road-warrior"[1]
> 62.203.73.107 #2:
> responding to Quick Mode
> Dec 23 16:08:40 venus pluto[1475]: "road-warrior"[1]
> 62.203.73.107 #2: IPsec
> SA established
>
> As you can see the connection is established.
>
> Now when it comes to pinging from Network A to
> RoadWarrior you get the
> following picture:
>
> TCPDUMP the PPP0 Interface:
>
> 16:27:18.969967 > 62.203.15.81 > 62.203.73.107:
> ip-proto-50 116
> 16:27:19.067306 < 62.203.73.107 > 62.203.15.81:
> ip-proto-50 116
> 16:27:19.969636 > 62.203.15.81 > 62.203.73.107:
> ip-proto-50 116
> 16:27:20.067815 < 62.203.73.107 > 62.203.15.81:
> ip-proto-50 116
>
> So IPSEC Proto 50 packets get sent through the PPP0
> Interface (PPPOE ADSL)
> AND come back, meaning the RoadWarrior is
> responding.
>
> When it comes to the tcpdump the ipsec0 interface I
> get the following:
>
> 16:27:32.969382 > 10.234.207.20 > 62.203.73.107:
> icmp: echo request
> 16:27:33.969306 > 10.234.207.20 > 62.203.73.107:
> icmp: echo request
> 16:27:34.969268 > 10.234.207.20 > 62.203.73.107:
> icmp: echo request
>
> This shows that the packets don't get back to the
> IPSEC0 Interface but get
> lost somewhere between the ppp0 Interface and the
> ipsec0 interface. Now this
> could be an ipchains issue, however why does the
> very same setup work with
> two other IPSEC peers and packets come back properly
> to the ipsec0 Interface
> for those?
>
> The routing table looks like this: (The routes to
> the two functioning
> subnets are not activated in this printout).
>
> Kernel IP routing table
> Destination Gateway Genmask
> Flags Metric Ref Use
> Iface
> 62.203.8.1 0.0.0.0 255.255.255.255 UH
> 0 0 0 ppp0
> 62.203.8.1 0.0.0.0 255.255.255.255 UH
> 0 0 0
> ipsec0
> 62.203.73.107 62.203.8.1 255.255.255.255 UGH
> 0 0 0
> ipsec0
> 10.234.207.0 0.0.0.0 255.255.255.0 U
> 0 0 0 eth0
> 1.1.1.0 0.0.0.0 255.255.255.0 U
> 0 0 0 eth1
> 0.0.0.0 62.203.8.1 0.0.0.0 UG
> 0 0 0 ppp0
>
> Any help on this would be appreciated.
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
> _______________________________________________
> Ipsec-users mailing list
> Ipsec-users_at_tossell.net
> http://lists.tossell.net/lists/listinfo/ipsec-users
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Dec 24 2002 - 05:21:27 CET