Hi Thomas, thanks for yours suggestions.
I try to see if my FW drops packets, but there is not entry in the firewall logfile. The only information I can see is in the link statistics ip -s link there are dropped packets at if ipsec0
tcpdump told me: eth0 (internal) ping request was send (from machine net2 to machine net1) ipsec0 ping request (from fw/gw net2 external IP to machine net1 (internal ip)) ! maybe here is the fault!! ppp0 (nothing)
tcpdump example from the not-working GW NET2 - ipsec0 if 10:21:04.304526 192.168.100.1 > 192.168.101.239: icmp: echo request 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo reply -> this is the ping request from net1 to net2
10:21:04.500970 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 9658 win 64058 (DF) 10:21:04.501566 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 9658:10007(349) ack 0 win 5488 (DF) [tos 0x10] 10:21:04.700379 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 10007 win 63709 (DF) 10:21:04.700979 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 10007:10221(214) ack 0 win 5488 (DF) [tos 0x10] 10:21:04.901447 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 10221 win 63495 (DF) 10:21:04.902043 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 10221:10437(216) ack 0 win 5488 (DF) [tos 0x10] 10:21:05.101170 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 10437 win 63279 (DF) 10:21:05.101764 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 10437:10653(216) ack 0 win 5488 (DF) [tos 0x10] 10:21:05.302252 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 10653 win 64484 (DF) 10:21:05.302872 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 10653:10869(216) ack 0 win 5488 (DF) [tos 0x10] 10:21:05.311890 192.168.100.1 > 192.168.101.239: icmp: echo request
tcpdump example from the working GW NET1 - ipsec0 if 08:51:04.985548 unknown ip 0 08:51:05.057368 unknown ip 0 08:51:05.185805 unknown ip 0 08:51:05.256899 unknown ip 0 08:51:05.386109 unknown ip 0 08:51:05.458005 unknown ip 0 08:51:05.586372 unknown ip 0 08:51:05.659086 unknown ip 0 08:51:05.786648 unknown ip 0
|-----Ursprüngliche Nachricht----- |Von: Thomas Kerkau [mailto:Thomas.Kerkau@io-software.com] |Gesendet: Mittwoch, 23. April 2003 09:07 |An: telest@gmx.net |Cc: suse-security@suse.com |Betreff: Re: [suse-security] IP Tunnel in only one direction possible | | |Hi Peter, | |this midght be due to yout iptables configuration. It is unlikley to be |due to your ipsec or routing config, cause it works in one direction. I |would try to take down iptables, if possible. This is not secure but a |quick test. Maybe you take a look at your iptables configuration first, |and compare FW1 and FW2, keeping in mind that FW2 has an external ethX |and a pppX interface. |Some further ideas: |Maybe you try to use tcpdump on FW2, looking for the pakets |from Net2 or |enable loging for all pakets with iptables. | |Hope this helps a little but it is very dificult to guess what might be |wrong, | |Thomas | | |> I have a big problem, that today the VPN tunnel is only usable in one |> direction. |> |> NET(1) --- FW1/VPN Gateway ---- internet ---- FW2 / VPN |Gateway ---- NET(2) |> |> I can ping from NET1 to NET2 and get replies. ( I also can |use different |> other thinks like pcanywhere, file access to the pc's on net2,...) |> |> I cannot ping from NET2 to NET1. There is nothing in the |logfiles. I can |> only see on the interface statistik that the 4 ping packets |are dropped. |> |> I use on both sides: |> Freeswan 1.98b |> iptables |> Suse Linux 8.0 |> |> FW1: static IP Adresses , SDSL Connection |> FW2: dynamic IP Adresses, SDSL PPPoE Connection |> |> I'm really stucked and help will be appreaciated. |> |> Thanks |> |> Peter |> |> -- |> +++ GMX - Mail, Messaging & more http://www.gmx.net +++ |> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! |> |> -- |> Check the headers for your unsubscription address |> For additional commands, e-mail: suse-security-help@suse.com |> Security-related bug reports go to security@suse.de, not here | |-- |www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI | -> CyberOne Award | -> Winner Crossroads A-List Award USA | -> IBM Solution Excellence Award winner for Hot Java Solution | -> European Information Society Technologies Prize Winner | -> Made with ArcStyler: http://www.io-software.com/customers | -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com | |----- < iO > --------------------------------------------------------- |Interactive Objects Software GmbH |mailto:Thomas.Kerkau@io-software.com |http://www.io-software.com |Basler Strasse 65, D-79100 Freiburg, Germany |Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 |---------------------------------------------------------------------- |
Hi Peter,
I'm a little cofused. to get things right:
tcpdump told me: eth0 (internal) ping request was send (from machine net2 to machine net1)
NET2 pings NET1: GW2(eth0) logs an icmp request ?
ipsec0 ping request (from fw/gw net2 external IP to machine net1 (internal ip)) ! maybe here is the fault!!
NET2 pings NET1: GW2(ipsec0) logs an icmp request to NET1?
ppp0 (nothing)
what about eth1? It is absolut correct to have tcpdump report pakets on ipsec0 to some internal ip at NET1. At the same time the physical Interface with the same ip as the logical ipsec0 should log some ESP-pakets.
tcpdump example from the not-working GW NET2 - ipsec0 if 10:21:04.304526 192.168.100.1 > 192.168.101.239: icmp: echo request 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo reply -> this is the ping request from net1 to net2
The above is NET1 pings NET2, which works. What does it show for NET2 pings Net1. From the above I would guess only the icmp: echo request but no echo reply?
tcpdump example from the working GW NET1 - ipsec0 if 08:51:04.985548 unknown ip 0 08:51:05.057368 unknown ip 0 08:51:05.185805 unknown ip 0 08:51:05.256899 unknown ip 0 08:51:05.386109 unknown ip 0 08:51:05.458005 unknown ip 0 08:51:05.586372 unknown ip 0 08:51:05.659086 unknown ip 0 08:51:05.786648 unknown ip 0
This is NET2 pings NET1?
The Post/Prerouting tabel is viewd by iptables -t nat -L
Maybe you take a look at your ipsec: ipsec eroute lists your ipsec routings ipsec auto --status lists the status of your connections
Greetings, Thomas
|-----Ursprüngliche Nachricht----- |Von: Thomas Kerkau [mailto:Thomas.Kerkau@io-software.com] |Gesendet: Mittwoch, 23. April 2003 09:07 |An: telest@gmx.net |Cc: suse-security@suse.com |Betreff: Re: [suse-security] IP Tunnel in only one direction possible | | |Hi Peter, | |this midght be due to yout iptables configuration. It is unlikley to be |due to your ipsec or routing config, cause it works in one direction. I |would try to take down iptables, if possible. This is not secure but a |quick test. Maybe you take a look at your iptables configuration first, |and compare FW1 and FW2, keeping in mind that FW2 has an external ethX |and a pppX interface. |Some further ideas: |Maybe you try to use tcpdump on FW2, looking for the pakets |from Net2 or |enable loging for all pakets with iptables. | |Hope this helps a little but it is very dificult to guess what might be |wrong, | |Thomas | | |> I have a big problem, that today the VPN tunnel is only usable in one |> direction. |> |> NET(1) --- FW1/VPN Gateway ---- internet ---- FW2 / VPN |Gateway ---- NET(2) |> |> I can ping from NET1 to NET2 and get replies. ( I also can |use different |> other thinks like pcanywhere, file access to the pc's on net2,...) |> |> I cannot ping from NET2 to NET1. There is nothing in the |logfiles. I can |> only see on the interface statistik that the 4 ping packets |are dropped. |> |> I use on both sides: |> Freeswan 1.98b |> iptables |> Suse Linux 8.0 |> |> FW1: static IP Adresses , SDSL Connection |> FW2: dynamic IP Adresses, SDSL PPPoE Connection |> |> I'm really stucked and help will be appreaciated. |> |> Thanks |> |> Peter |> |> -- |> +++ GMX - Mail, Messaging & more http://www.gmx.net +++ |> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! |> |> -- |> Check the headers for your unsubscription address |> For additional commands, e-mail: suse-security-help@suse.com |> Security-related bug reports go to security@suse.de, not here | |-- |www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI | -> CyberOne Award | -> Winner Crossroads A-List Award USA | -> IBM Solution Excellence Award winner for Hot Java Solution | -> European Information Society Technologies Prize Winner | -> Made with ArcStyler: http://www.io-software.com/customers | -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com | |----- < iO > --------------------------------------------------------- |Interactive Objects Software GmbH |mailto:Thomas.Kerkau@io-software.com |http://www.io-software.com |Basler Strasse 65, D-79100 Freiburg, Germany |Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 |---------------------------------------------------------------------- |
-- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI -> CyberOne Award -> Winner Crossroads A-List Award USA -> IBM Solution Excellence Award winner for Hot Java Solution -> European Information Society Technologies Prize Winner -> Made with ArcStyler: http://www.io-software.com/customers -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
----- < iO > --------------------------------------------------------- Interactive Objects Software GmbH mailto:Thomas.Kerkau@io-software.com http://www.io-software.com Basler Strasse 65, D-79100 Freiburg, Germany Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 ----------------------------------------------------------------------
-
telest@gmx.net -
Thomas Kerkau