Mailinglist Archive: opensuse-security (300 mails)
| < Previous | Next > |
Re: [suse-security] IP Tunnel in only one direction possible
- From: telest@xxxxxxx
- Date: Wed, 23 Apr 2003 12:07:48 +0200 (MEST)
- Message-id: <25230.1051092468@xxxxxxxxxxxxx>
Hi Thomas,
please see below.
|-----Ursprüngliche Nachricht-----
|Von: Thomas Kerkau [mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx]
|Gesendet: Mittwoch, 23. April 2003 10:52
|An: telest@xxxxxxx
|Cc: suse-security@xxxxxxxx
|Betreff: Re: [suse-security] IP Tunnel in only one direction possible
|
|
|Hi Peter,
|
|I'm a little cofused. to get things right:
|
|> tcpdump told me:
|> eth0 (internal) ping request was send (from machine net2 to
|machine net1)
|
|NET2 pings NET1: GW2(eth0) logs an icmp request ?
on eth0:
9 7.631138 192.168.101.239 192.168.100.205 ICMP Echo
(ping) request
192.168.101.0/24 ist net2 internal
192.168.100.0/24 ist net1 internal
on ipsec0:
3 1.694921 217.235.199.35 192.168.100.205 ICMP
Echo (ping) request
on eth1:
nothing--
on ppp0
nothing--
|
|> ipsec0 ping request (from fw/gw net2 external IP to machine
|net1 (internal
|> ip)) ! maybe here is the fault!!
|
|NET2 pings NET1: GW2(ipsec0) logs an icmp request to NET1?
|
|> ppp0 (nothing)
|
|what about eth1? It is absolut correct to have tcpdump report pakets on
|ipsec0 to some internal ip at NET1. At the same time the physical
|Interface with the same ip as the logical ipsec0 should log some
|ESP-pakets.
|
|
|> tcpdump example from the not-working GW NET2 - ipsec0 if
|> 10:21:04.304526 192.168.100.1 > 192.168.101.239: icmp: echo request
|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo
|reply -> this is
|> the ping request from net1 to net2
|
|The above is NET1 pings NET2, which works. What does it show for NET2
|pings Net1. From the above I would guess only the icmp: echo
|request but
|no echo reply?
Yes I forgot to paste int the reply. :)
but basically ipsec0 looks differnent on both machines
GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo
GW1:|> 08:51:05.057368 unknown ip 0
|
|
|> tcpdump example from the working GW NET1 - ipsec0 if
|> 08:51:05.057368 unknown ip 0
|> 08:51:05.185805 unknown ip 0
|> 08:51:05.256899 unknown ip 0
|> 08:51:05.386109 unknown ip 0
|> 08:51:05.458005 unknown ip 0
|> 08:51:05.586372 unknown ip 0
|> 08:51:05.659086 unknown ip 0
|> 08:51:05.786648 unknown ip 0
|
|This is NET2 pings NET1?
|
|The Post/Prerouting tabel is viewd by iptables -t nat -L
|
|Maybe you take a look at your ipsec:
|ipsec eroute lists your ipsec routings
|ipsec auto --status lists the status of your connections
|
|
|Greetings, Thomas
|
|
|>
|> |-----Ursprüngliche Nachricht-----
|> |Von: Thomas Kerkau [mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx]
|> |Gesendet: Mittwoch, 23. April 2003 09:07
|> |An: telest@xxxxxxx
|> |Cc: suse-security@xxxxxxxx
|> |Betreff: Re: [suse-security] IP Tunnel in only one
|direction possible
|> |
|> |
|> |Hi Peter,
|> |
|> |this midght be due to yout iptables configuration. It is
|unlikley to be
|> |due to your ipsec or routing config, cause it works in one
|direction. I
|> |would try to take down iptables, if possible. This is not
|secure but a
|> |quick test. Maybe you take a look at your iptables
|configuration first,
|> |and compare FW1 and FW2, keeping in mind that FW2 has an
|external ethX
|> |and a pppX interface.
|> |Some further ideas:
|> |Maybe you try to use tcpdump on FW2, looking for the pakets
|> |from Net2 or
|> |enable loging for all pakets with iptables.
|> |
|> |Hope this helps a little but it is very dificult to guess
|what might be
|> |wrong,
|> |
|> |Thomas
|> |
|> |
|> |> I have a big problem, that today the VPN tunnel is only
|usable in one
|> |> direction.
|> |>
|> |> NET(1) --- FW1/VPN Gateway ---- internet ---- FW2 / VPN
|> |Gateway ---- NET(2)
|> |>
|> |> I can ping from NET1 to NET2 and get replies. ( I also can
|> |use different
|> |> other thinks like pcanywhere, file access to the pc's on net2,...)
|> |>
|> |> I cannot ping from NET2 to NET1. There is nothing in the
|> |logfiles. I can
|> |> only see on the interface statistik that the 4 ping packets
|> |are dropped.
|> |>
|> |> I use on both sides:
|> |> Freeswan 1.98b
|> |> iptables
|> |> Suse Linux 8.0
|> |>
|> |> FW1: static IP Adresses , SDSL Connection
|> |> FW2: dynamic IP Adresses, SDSL PPPoE Connection
|> |>
|> |> I'm really stucked and help will be appreaciated.
|> |>
|> |> Thanks
|> |>
|> |> Peter
|> |>
|> |> --
|> |> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
|> |> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
|> |>
|> |> --
|> |> Check the headers for your unsubscription address
|> |> For additional commands, e-mail: suse-security-help@xxxxxxxx
|> |> Security-related bug reports go to security@xxxxxxx, not here
|> |
|> |--
|> |www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
|> | -> CyberOne Award
|> | -> Winner Crossroads A-List Award USA
|> | -> IBM Solution Excellence Award winner for Hot Java Solution
|> | -> European Information Society Technologies Prize Winner
|> | -> Made with ArcStyler: http://www.io-software.com/customers
|> | -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
|> |
|> |----- < iO >
|---------------------------------------------------------
|> |Interactive Objects Software GmbH
|> |mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
|> |http://www.io-software.com
|> |Basler Strasse 65, D-79100 Freiburg, Germany
|> |Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
|>
||----------------------------------------------------------------------
|> |
|>
|> --
|> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
|> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
|>
|> --
|> Check the headers for your unsubscription address
|> For additional commands, e-mail: suse-security-help@xxxxxxxx
|> Security-related bug reports go to security@xxxxxxx, not here
|
|--
|www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
| -> CyberOne Award
| -> Winner Crossroads A-List Award USA
| -> IBM Solution Excellence Award winner for Hot Java Solution
| -> European Information Society Technologies Prize Winner
| -> Made with ArcStyler: http://www.io-software.com/customers
| -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
|
|----- < iO > ---------------------------------------------------------
|Interactive Objects Software GmbH
|mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
|http://www.io-software.com
|Basler Strasse 65, D-79100 Freiburg, Germany
|Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
|----------------------------------------------------------------------
|
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
please see below.
|-----Ursprüngliche Nachricht-----
|Von: Thomas Kerkau [mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx]
|Gesendet: Mittwoch, 23. April 2003 10:52
|An: telest@xxxxxxx
|Cc: suse-security@xxxxxxxx
|Betreff: Re: [suse-security] IP Tunnel in only one direction possible
|
|
|Hi Peter,
|
|I'm a little cofused. to get things right:
|
|> tcpdump told me:
|> eth0 (internal) ping request was send (from machine net2 to
|machine net1)
|
|NET2 pings NET1: GW2(eth0) logs an icmp request ?
on eth0:
9 7.631138 192.168.101.239 192.168.100.205 ICMP Echo
(ping) request
192.168.101.0/24 ist net2 internal
192.168.100.0/24 ist net1 internal
on ipsec0:
3 1.694921 217.235.199.35 192.168.100.205 ICMP
Echo (ping) request
on eth1:
nothing--
on ppp0
nothing--
|
|> ipsec0 ping request (from fw/gw net2 external IP to machine
|net1 (internal
|> ip)) ! maybe here is the fault!!
|
|NET2 pings NET1: GW2(ipsec0) logs an icmp request to NET1?
|
|> ppp0 (nothing)
|
|what about eth1? It is absolut correct to have tcpdump report pakets on
|ipsec0 to some internal ip at NET1. At the same time the physical
|Interface with the same ip as the logical ipsec0 should log some
|ESP-pakets.
|
|
|> tcpdump example from the not-working GW NET2 - ipsec0 if
|> 10:21:04.304526 192.168.100.1 > 192.168.101.239: icmp: echo request
|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo
|reply -> this is
|> the ping request from net1 to net2
|
|The above is NET1 pings NET2, which works. What does it show for NET2
|pings Net1. From the above I would guess only the icmp: echo
|request but
|no echo reply?
Yes I forgot to paste int the reply. :)
but basically ipsec0 looks differnent on both machines
GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo
GW1:|> 08:51:05.057368 unknown ip 0
|
|
|> tcpdump example from the working GW NET1 - ipsec0 if
|> 08:51:05.057368 unknown ip 0
|> 08:51:05.185805 unknown ip 0
|> 08:51:05.256899 unknown ip 0
|> 08:51:05.386109 unknown ip 0
|> 08:51:05.458005 unknown ip 0
|> 08:51:05.586372 unknown ip 0
|> 08:51:05.659086 unknown ip 0
|> 08:51:05.786648 unknown ip 0
|
|This is NET2 pings NET1?
|
|The Post/Prerouting tabel is viewd by iptables -t nat -L
|
|Maybe you take a look at your ipsec:
|ipsec eroute lists your ipsec routings
|ipsec auto --status lists the status of your connections
|
|
|Greetings, Thomas
|
|
|>
|> |-----Ursprüngliche Nachricht-----
|> |Von: Thomas Kerkau [mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx]
|> |Gesendet: Mittwoch, 23. April 2003 09:07
|> |An: telest@xxxxxxx
|> |Cc: suse-security@xxxxxxxx
|> |Betreff: Re: [suse-security] IP Tunnel in only one
|direction possible
|> |
|> |
|> |Hi Peter,
|> |
|> |this midght be due to yout iptables configuration. It is
|unlikley to be
|> |due to your ipsec or routing config, cause it works in one
|direction. I
|> |would try to take down iptables, if possible. This is not
|secure but a
|> |quick test. Maybe you take a look at your iptables
|configuration first,
|> |and compare FW1 and FW2, keeping in mind that FW2 has an
|external ethX
|> |and a pppX interface.
|> |Some further ideas:
|> |Maybe you try to use tcpdump on FW2, looking for the pakets
|> |from Net2 or
|> |enable loging for all pakets with iptables.
|> |
|> |Hope this helps a little but it is very dificult to guess
|what might be
|> |wrong,
|> |
|> |Thomas
|> |
|> |
|> |> I have a big problem, that today the VPN tunnel is only
|usable in one
|> |> direction.
|> |>
|> |> NET(1) --- FW1/VPN Gateway ---- internet ---- FW2 / VPN
|> |Gateway ---- NET(2)
|> |>
|> |> I can ping from NET1 to NET2 and get replies. ( I also can
|> |use different
|> |> other thinks like pcanywhere, file access to the pc's on net2,...)
|> |>
|> |> I cannot ping from NET2 to NET1. There is nothing in the
|> |logfiles. I can
|> |> only see on the interface statistik that the 4 ping packets
|> |are dropped.
|> |>
|> |> I use on both sides:
|> |> Freeswan 1.98b
|> |> iptables
|> |> Suse Linux 8.0
|> |>
|> |> FW1: static IP Adresses , SDSL Connection
|> |> FW2: dynamic IP Adresses, SDSL PPPoE Connection
|> |>
|> |> I'm really stucked and help will be appreaciated.
|> |>
|> |> Thanks
|> |>
|> |> Peter
|> |>
|> |> --
|> |> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
|> |> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
|> |>
|> |> --
|> |> Check the headers for your unsubscription address
|> |> For additional commands, e-mail: suse-security-help@xxxxxxxx
|> |> Security-related bug reports go to security@xxxxxxx, not here
|> |
|> |--
|> |www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
|> | -> CyberOne Award
|> | -> Winner Crossroads A-List Award USA
|> | -> IBM Solution Excellence Award winner for Hot Java Solution
|> | -> European Information Society Technologies Prize Winner
|> | -> Made with ArcStyler: http://www.io-software.com/customers
|> | -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
|> |
|> |----- < iO >
|---------------------------------------------------------
|> |Interactive Objects Software GmbH
|> |mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
|> |http://www.io-software.com
|> |Basler Strasse 65, D-79100 Freiburg, Germany
|> |Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
|>
||----------------------------------------------------------------------
|> |
|>
|> --
|> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
|> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
|>
|> --
|> Check the headers for your unsubscription address
|> For additional commands, e-mail: suse-security-help@xxxxxxxx
|> Security-related bug reports go to security@xxxxxxx, not here
|
|--
|www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
| -> CyberOne Award
| -> Winner Crossroads A-List Award USA
| -> IBM Solution Excellence Award winner for Hot Java Solution
| -> European Information Society Technologies Prize Winner
| -> Made with ArcStyler: http://www.io-software.com/customers
| -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
|
|----- < iO > ---------------------------------------------------------
|Interactive Objects Software GmbH
|mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
|http://www.io-software.com
|Basler Strasse 65, D-79100 Freiburg, Germany
|Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
|----------------------------------------------------------------------
|
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
| < Previous | Next > |