Hi Thomas,
please see below.
|-----Ursprüngliche Nachricht----- |Von: Thomas Kerkau [mailto:Thomas.Kerkau@io-software.com] |Gesendet: Mittwoch, 23. April 2003 10:52 |An: telest@gmx.net |Cc: suse-security@suse.com |Betreff: Re: [suse-security] IP Tunnel in only one direction possible | | |Hi Peter, | |I'm a little cofused. to get things right: | |> tcpdump told me: |> eth0 (internal) ping request was send (from machine net2 to |machine net1) | |NET2 pings NET1: GW2(eth0) logs an icmp request ? on eth0: 9 7.631138 192.168.101.239 192.168.100.205 ICMP Echo (ping) request
192.168.101.0/24 ist net2 internal 192.168.100.0/24 ist net1 internal
on ipsec0: 3 1.694921 217.235.199.35 192.168.100.205 ICMP Echo (ping) request
on eth1: nothing--
on ppp0 nothing-- | |> ipsec0 ping request (from fw/gw net2 external IP to machine |net1 (internal |> ip)) ! maybe here is the fault!! | |NET2 pings NET1: GW2(ipsec0) logs an icmp request to NET1? | |> ppp0 (nothing) | |what about eth1? It is absolut correct to have tcpdump report pakets on |ipsec0 to some internal ip at NET1. At the same time the physical |Interface with the same ip as the logical ipsec0 should log some |ESP-pakets. | | |> tcpdump example from the not-working GW NET2 - ipsec0 if |> 10:21:04.304526 192.168.100.1 > 192.168.101.239: icmp: echo request |> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo |reply -> this is |> the ping request from net1 to net2 | |The above is NET1 pings NET2, which works. What does it show for NET2 |pings Net1. From the above I would guess only the icmp: echo |request but |no echo reply? Yes I forgot to paste int the reply. :) but basically ipsec0 looks differnent on both machines
GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo GW1:|> 08:51:05.057368 unknown ip 0
| | |> tcpdump example from the working GW NET1 - ipsec0 if |> 08:51:05.057368 unknown ip 0 |> 08:51:05.185805 unknown ip 0 |> 08:51:05.256899 unknown ip 0 |> 08:51:05.386109 unknown ip 0 |> 08:51:05.458005 unknown ip 0 |> 08:51:05.586372 unknown ip 0 |> 08:51:05.659086 unknown ip 0 |> 08:51:05.786648 unknown ip 0 | |This is NET2 pings NET1? | |The Post/Prerouting tabel is viewd by iptables -t nat -L | |Maybe you take a look at your ipsec: |ipsec eroute lists your ipsec routings |ipsec auto --status lists the status of your connections | | |Greetings, Thomas | | |> |> |-----Ursprüngliche Nachricht----- |> |Von: Thomas Kerkau [mailto:Thomas.Kerkau@io-software.com] |> |Gesendet: Mittwoch, 23. April 2003 09:07 |> |An: telest@gmx.net |> |Cc: suse-security@suse.com |> |Betreff: Re: [suse-security] IP Tunnel in only one |direction possible |> | |> | |> |Hi Peter, |> | |> |this midght be due to yout iptables configuration. It is |unlikley to be |> |due to your ipsec or routing config, cause it works in one |direction. I |> |would try to take down iptables, if possible. This is not |secure but a |> |quick test. Maybe you take a look at your iptables |configuration first, |> |and compare FW1 and FW2, keeping in mind that FW2 has an |external ethX |> |and a pppX interface. |> |Some further ideas: |> |Maybe you try to use tcpdump on FW2, looking for the pakets |> |from Net2 or |> |enable loging for all pakets with iptables. |> | |> |Hope this helps a little but it is very dificult to guess |what might be |> |wrong, |> | |> |Thomas |> | |> | |> |> I have a big problem, that today the VPN tunnel is only |usable in one |> |> direction. |> |> |> |> NET(1) --- FW1/VPN Gateway ---- internet ---- FW2 / VPN |> |Gateway ---- NET(2) |> |> |> |> I can ping from NET1 to NET2 and get replies. ( I also can |> |use different |> |> other thinks like pcanywhere, file access to the pc's on net2,...) |> |> |> |> I cannot ping from NET2 to NET1. There is nothing in the |> |logfiles. I can |> |> only see on the interface statistik that the 4 ping packets |> |are dropped. |> |> |> |> I use on both sides: |> |> Freeswan 1.98b |> |> iptables |> |> Suse Linux 8.0 |> |> |> |> FW1: static IP Adresses , SDSL Connection |> |> FW2: dynamic IP Adresses, SDSL PPPoE Connection |> |> |> |> I'm really stucked and help will be appreaciated. |> |> |> |> Thanks |> |> |> |> Peter |> |> |> |> -- |> |> +++ GMX - Mail, Messaging & more http://www.gmx.net +++ |> |> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! |> |> |> |> -- |> |> Check the headers for your unsubscription address |> |> For additional commands, e-mail: suse-security-help@suse.com |> |> Security-related bug reports go to security@suse.de, not here |> | |> |-- |> |www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI |> | -> CyberOne Award |> | -> Winner Crossroads A-List Award USA |> | -> IBM Solution Excellence Award winner for Hot Java Solution |> | -> European Information Society Technologies Prize Winner |> | -> Made with ArcStyler: http://www.io-software.com/customers |> | -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com |> | |> |----- < iO > |--------------------------------------------------------- |> |Interactive Objects Software GmbH |> |mailto:Thomas.Kerkau@io-software.com |> |http://www.io-software.com |> |Basler Strasse 65, D-79100 Freiburg, Germany |> |Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 |> ||---------------------------------------------------------------------- |> | |> |> -- |> +++ GMX - Mail, Messaging & more http://www.gmx.net +++ |> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! |> |> -- |> Check the headers for your unsubscription address |> For additional commands, e-mail: suse-security-help@suse.com |> Security-related bug reports go to security@suse.de, not here | |-- |www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI | -> CyberOne Award | -> Winner Crossroads A-List Award USA | -> IBM Solution Excellence Award winner for Hot Java Solution | -> European Information Society Technologies Prize Winner | -> Made with ArcStyler: http://www.io-software.com/customers | -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com | |----- < iO > --------------------------------------------------------- |Interactive Objects Software GmbH |mailto:Thomas.Kerkau@io-software.com |http://www.io-software.com |Basler Strasse 65, D-79100 Freiburg, Germany |Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 |---------------------------------------------------------------------- |
Hi Peter,
|NET2 pings NET1: GW2(eth0) logs an icmp request ? on eth0: 9 7.631138 192.168.101.239 192.168.100.205 ICMP Echo (ping) request
the paket is entering GW2.
192.168.101.0/24 ist net2 internal 192.168.100.0/24 ist net1 internal
on ipsec0: 3 1.694921 217.235.199.35 192.168.100.205 ICMP Echo (ping) request
the paket is leaving ipsec0
on eth1: nothing--
on ppp0 nothing--
but not forwarded to ppp0/eth1. Just checked this on a 7.3, you will see ESP-pakets on both. hopfully this was not changed. Is ipsec0 bound to eth1/ppp0 (interfaces directive in ipsec.conf)?
Yes I forgot to paste int the reply. :) but basically ipsec0 looks differnent on both machines
GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo GW1:|> 08:51:05.057368 unknown ip 0
Are you shure that these entries are correlated? Do you see ESP-pakets on the external interface of GW1?
My feeling at this point is that GW2 doesn't send any paket to GW1. Check if "ipsec eroute" and "ipsec auto --status" shows the correct connections, and check "route".
Greetings, Thomas
-- www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI -> CyberOne Award -> Winner Crossroads A-List Award USA -> IBM Solution Excellence Award winner for Hot Java Solution -> European Information Society Technologies Prize Winner -> Made with ArcStyler: http://www.io-software.com/customers -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
----- < iO > --------------------------------------------------------- Interactive Objects Software GmbH mailto:Thomas.Kerkau@io-software.com http://www.io-software.com Basler Strasse 65, D-79100 Freiburg, Germany Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 ----------------------------------------------------------------------
Also, make sure forwarding is turned on for that interface.
On Wed, 2003-04-23 at 13:02, Thomas Kerkau wrote:
Hi Peter,
|NET2 pings NET1: GW2(eth0) logs an icmp request ? on eth0: 9 7.631138 192.168.101.239 192.168.100.205 ICMP Echo (ping) request
the paket is entering GW2.
192.168.101.0/24 ist net2 internal 192.168.100.0/24 ist net1 internal
on ipsec0: 3 1.694921 217.235.199.35 192.168.100.205 ICMP Echo (ping) request
the paket is leaving ipsec0
on eth1: nothing--
on ppp0 nothing--
but not forwarded to ppp0/eth1. Just checked this on a 7.3, you will see ESP-pakets on both. hopfully this was not changed. Is ipsec0 bound to eth1/ppp0 (interfaces directive in ipsec.conf)?
Yes I forgot to paste int the reply. :) but basically ipsec0 looks differnent on both machines
GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo GW1:|> 08:51:05.057368 unknown ip 0
Are you shure that these entries are correlated? Do you see ESP-pakets on the external interface of GW1?
My feeling at this point is that GW2 doesn't send any paket to GW1. Check if "ipsec eroute" and "ipsec auto --status" shows the correct connections, and check "route".
Greetings, Thomas
-- www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI -> CyberOne Award -> Winner Crossroads A-List Award USA -> IBM Solution Excellence Award winner for Hot Java Solution -> European Information Society Technologies Prize Winner -> Made with ArcStyler: http://www.io-software.com/customers -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
----- < iO > --------------------------------------------------------- Interactive Objects Software GmbH mailto:Thomas.Kerkau@io-software.com http://www.io-software.com Basler Strasse 65, D-79100 Freiburg, Germany Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
-
Ray Leach -
telest@gmx.net -
Thomas Kerkau