[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] Cannot ping either side of a NET2NET connection
From:       sibxol () btconnect ! com (sibusiso xolo)
Date:       2005-10-28 3:14:15
Message-ID: 200510280239.13196.sibxol () btconnect ! com
[Download RAW message or body]

On Wednesday 26 October 2005 12:51, Fausto Sakamoto wrote:
> Hi everyone,
>
> 	I'm a newbie on strongswan, so I don't know what's happening and
> some help will be appreciated. That's the problem:
>
> 	I'm trying to get an encrypted tunnel from the HQ office to a
> branch, using fixed public IPs on both sides. I'm using Slackware 10.2
> on the gateways, and both of them are using kernel 2.6.13.4 (I compiled
> it with ah, esp, af_key and all encryption options enabled). As I'm
> using a 2.6 kernel, KLIPS is not necessary, and I compiled and installed
> only userland programs.
> 	The connection is up, as we can see on ipsec auto -status
> results (on x.y.235.102 gateway):
>
> root@cerbero:~# ipsec auto --status
> 000
> 000 "disul":
> 192.168.6.0/24===x.y.235.102---x.y.235.97...z.w.250.206==2.168.5.0/24
> ; erouted; eroute owner: #3
> 000 "disul":   newest ISAKMP SA: #1; newest IPsec SA: #3;
> 000
> 000 #3: "disul" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 212s; newest IPSEC; eroute owner
> 000 #3: "disul" esp.e84aa6e9@z.w.250.206 esp.fbecd91d@x.y.235.102
> tun.0@z.w.250.206 tun.0@x.y.235.102
> 000 #1: "disul" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
> in 1575s; newest ISAKMP
> 000
>
> But I can't ping from 192.168.5.0/24 to 192.168.6.0/24 and vice-versa,
> from any host (even from the gateways, using ping -I).


you probably neeed to allow  ping   in your firewall  for the interface with
the publlic IPaddress  from/to  the  local subnet:

something like
iptables  -A INPUT -p icmp -s $network  -i $internal   -d  $external  -j
ACCEPT
yada yada
yada yada
-



>
> route -n on gateways returns this:
>
> on x.y.235.102 gateway:
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> x.y.235.96      0.0.0.0         255.255.255.248 U     0      0        0
> eth0
> 192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0
> eth1
> 192.168.5.0     x.y.235.97      255.255.255.0   UG    0      0        0
> eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0
> lo
> 0.0.0.0         x.y.235.97      0.0.0.0         UG    1      0        0
> eth0
>
> on z.w.250.206 gateway:
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> z.w.250.204     0.0.0.0         255.255.255.252 U     0      0        0
> eth1
> 192.168.6.0     z.w.250.205     255.255.255.0   UG    0      0        0
> eth1
> 192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0
> eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0
> lo
> 0.0.0.0         z.w.250.205     0.0.0.0         UG    1      0        0
> eth1
>
> 	When I try to ping from x.y.235.102 gateway, using ping -I
> 192.168.6.70 192.168.5.2, I can dump packets on external interface of
> z.w.250.206 gateway:
>
> 09:37:33.601509 IP 192.168.6.70 > 192.168.5.2: ICMP echo request, id
> 5404, seq 1, length 64
> 09:37:34.573178 IP 192.168.6.70 > 192.168.5.2: ICMP echo request, id
> 5404, seq 2, length 64
> 09:37:35.573182 IP 192.168.6.70 > 192.168.5.2: ICMP echo request, id
> 5404, seq 3, length 64
> 09:37:36.573191 IP 192.168.6.70 > 192.168.5.2: ICMP echo request, id
> 5404, seq 4, length 64
>
> 	But I cannot observe any packets arriving on internal interface
> of this same gateway. I presume it's not routing these packets. On the
> other gateway, ping packets are not arriving.
>
> Here are my conf.files:
>
> On x.y.223.235 gateway:
>
> config setup
>         plutodebug=control
>         interfaces=%defaultroute
>
> conn %default
>         ikelifetime`m
>         keylife m
>         keyexchange=ike
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>         pfs=yes
>
> conn disul
>         left=x.y.235.102
>         leftnexthop=%defaultroute
>         leftsubnet2.168.6.0/24
>         right=z.w.250.206
>         rightsubnet2.168.5.0/24
>         auto=start
>
>
> On z.w.250.206 gateway:
>
> config setup
>         plutodebug=all
>         interfaces=%defaultroute
>
> conn %default
>         ikelifetime`m
>         keylife m
>         keyexchange=ike
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>         pfs=yes
>
> conn disul
>         left=z.w.250.206
>         leftnexthop=%defaultroute
>         leftsubnet2.168.5.0/24
>         right=x.y.235.102
>         rightsubnet2.168.6.0/24
>         auto=start
>
>
> 	I tested this configuration in my lab, with both gateways'
> public interfaces on same subnet, and it worked fine. Can it be some
> disturbance caused by a device on the middle? As far as my knowledge
> goes, all proper firewall ports on devices that are under my control are
> open - it's connecting, isn't it?
>
> Best regards,
>
>
> Fausto Sakamoto
> IT Infrastructure
> Tel.: +55 (71) 3273-7527 Fax: +55 (71) 3273-7502
> e-mail: fausto@wbsltda.com.br
>
> WBS Gerenciamento e Empreendimentos Ltda
> website: www.wbsltda.com.br
>
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> http://lists.strongswan.org/mailman/listinfo/users

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic