Re: [suse-security] IP Tunnel in only one direction possible
Hi Thomas, thanks for yours suggestions. I try to see if my FW drops packets, but there is not entry in the firewall logfile. The only information I can see is in the link statistics ip -s link there are dropped packets at if ipsec0 tcpdump told me: eth0 (internal) ping request was send (from machine net2 to machine net1) ipsec0 ping request (from fw/gw net2 external IP to machine net1 (internal ip)) ! maybe here is the fault!! ppp0 (nothing) tcpdump example from the not-working GW NET2 - ipsec0 if 10:21:04.304526 192.168.100.1 > 192.168.101.239: icmp: echo request 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo reply -> this is the ping request from net1 to net2 10:21:04.500970 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 9658 win 64058 (DF) 10:21:04.501566 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 9658:10007(349) ack 0 win 5488 (DF) [tos 0x10] 10:21:04.700379 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 10007 win 63709 (DF) 10:21:04.700979 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 10007:10221(214) ack 0 win 5488 (DF) [tos 0x10] 10:21:04.901447 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 10221 win 63495 (DF) 10:21:04.902043 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 10221:10437(216) ack 0 win 5488 (DF) [tos 0x10] 10:21:05.101170 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 10437 win 63279 (DF) 10:21:05.101764 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 10437:10653(216) ack 0 win 5488 (DF) [tos 0x10] 10:21:05.302252 192.168.100.1.cnrprotocol > 192.168.101.223.telnet: . ack 10653 win 64484 (DF) 10:21:05.302872 192.168.101.223.telnet > 192.168.100.1.cnrprotocol: P 10653:10869(216) ack 0 win 5488 (DF) [tos 0x10] 10:21:05.311890 192.168.100.1 > 192.168.101.239: icmp: echo request tcpdump example from the working GW NET1 - ipsec0 if 08:51:04.985548 unknown ip 0 08:51:05.057368 unknown ip 0 08:51:05.185805 unknown ip 0 08:51:05.256899 unknown ip 0 08:51:05.386109 unknown ip 0 08:51:05.458005 unknown ip 0 08:51:05.586372 unknown ip 0 08:51:05.659086 unknown ip 0 08:51:05.786648 unknown ip 0 |-----Ursprüngliche Nachricht----- |Von: Thomas Kerkau [mailto:Thomas.Kerkau@io-software.com] |Gesendet: Mittwoch, 23. April 2003 09:07 |An: telest@gmx.net |Cc: suse-security@suse.com |Betreff: Re: [suse-security] IP Tunnel in only one direction possible | | |Hi Peter, | |this midght be due to yout iptables configuration. It is unlikley to be |due to your ipsec or routing config, cause it works in one direction. I |would try to take down iptables, if possible. This is not secure but a |quick test. Maybe you take a look at your iptables configuration first, |and compare FW1 and FW2, keeping in mind that FW2 has an external ethX |and a pppX interface. |Some further ideas: |Maybe you try to use tcpdump on FW2, looking for the pakets |from Net2 or |enable loging for all pakets with iptables. | |Hope this helps a little but it is very dificult to guess what might be |wrong, | |Thomas | | |> I have a big problem, that today the VPN tunnel is only usable in one |> direction. |> |> NET(1) --- FW1/VPN Gateway ---- internet ---- FW2 / VPN |Gateway ---- NET(2) |> |> I can ping from NET1 to NET2 and get replies. ( I also can |use different |> other thinks like pcanywhere, file access to the pc's on net2,...) |> |> I cannot ping from NET2 to NET1. There is nothing in the |logfiles. I can |> only see on the interface statistik that the 4 ping packets |are dropped. |> |> I use on both sides: |> Freeswan 1.98b |> iptables |> Suse Linux 8.0 |> |> FW1: static IP Adresses , SDSL Connection |> FW2: dynamic IP Adresses, SDSL PPPoE Connection |> |> I'm really stucked and help will be appreaciated. |> |> Thanks |> |> Peter |> |> -- |> +++ GMX - Mail, Messaging & more http://www.gmx.net +++ |> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! |> |> -- |> Check the headers for your unsubscription address |> For additional commands, e-mail: suse-security-help@suse.com |> Security-related bug reports go to security@suse.de, not here | |-- |www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI | -> CyberOne Award | -> Winner Crossroads A-List Award USA | -> IBM Solution Excellence Award winner for Hot Java Solution | -> European Information Society Technologies Prize Winner | -> Made with ArcStyler: http://www.io-software.com/customers | -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com | |----- < iO > --------------------------------------------------------- |Interactive Objects Software GmbH |mailto:Thomas.Kerkau@io-software.com |http://www.io-software.com |Basler Strasse 65, D-79100 Freiburg, Germany |Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 |---------------------------------------------------------------------- | -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
participants (2)
-
telest@gmx.net
-
Thomas Kerkau