Re: [suse-security] FreeS/WAN tunnel established, no data transferred
no firewall is installed. MfG. Stefan Walther stefan_walther@gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961 Hi Stefan, On 2001.08.29 06:32:40 +0100 Stefan_Walther@gehag-dsk.de wrote:
hi folks,
I have the following problem. I have an established IPSec-tunnel between 2 boxes.
I'm using SuSE7.1 and FreeS/WAN 1.91. The FreeS/WAN tells me that the tunnel is established (last message in /var/log/messages).
<SNIP>
Before starting IPSec the routes, the the clients can pinging each other
are set by hand. FreeS/WAN sets the routes to the ipsec0 interface.
After starting you cannot ping anymore from the 1st client to the 2nd client ans the other way around. Does anybody know a solution for this problem???
Not withstanding everything that has already been said about strange routing etc, there was a similar problem to this on the list a couple of weeks ago. The problem was the ipsec0 interface was being blocked by the firewall at one end of the tunnel. If you have a firewall, make sure that packets can actually get to the tunnel. HTH, Maf.
THX
MfG.
Stefan Walther stefan_walther@gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Are you sure you setup a tunnel between the two networks, or did you just do a host-2-host? Example with IKE keying.... conn mytunnel type=tunnel left=172.16.100.1 leftsubnet=192.168.200.0/24 leftnexthop=172.16.100.2 right=172.16.100.2 rightsubnet=192.168.100.0/24 rightnexthop=10.16.100.2 keyexchange=ike keylife=8h pfs=yes authby=secret auth=esp auto=start for GW 1 interfaces="ipsec0=eth1" and for GW2 interfaces="ipsec0=eth0" might be neccassary if the default gw is not set to 172.16.100.2 resp. 10.16.100.2 Don't forget to add 172.16.100.1 10.16.100.1 : PSK "YourLittleSharedSecretIfRunningIKE" to /etc/ipsec.secrets With this setup you should be able to ping between the two clients, however not between the two gateways, that's a host-2-host tunnel... If you did setup a network-2-network you still have a routing problem... Ethereal is a good tool for debugging that... /Magnus Stefan_Walther@gehag-dsk.de wrote:
no firewall is installed.
MfG.
Stefan Walther stefan_walther@gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961
Hi Stefan,
On 2001.08.29 06:32:40 +0100 Stefan_Walther@gehag-dsk.de wrote:
hi folks,
I have the following problem. I have an established IPSec-tunnel between 2 boxes.
I'm using SuSE7.1 and FreeS/WAN 1.91. The FreeS/WAN tells me that the tunnel is established (last message in /var/log/messages).
<SNIP>
Before starting IPSec the routes, the the clients can pinging each other
are set by hand. FreeS/WAN sets the routes to the ipsec0 interface.
After starting you cannot ping anymore from the 1st client to the 2nd client ans the other way around. Does anybody know a solution for this problem???
Not withstanding everything that has already been said about strange routing etc, there was a similar problem to this on the list a couple of weeks ago. The problem was the ipsec0 interface was being blocked by the firewall at one end of the tunnel. If you have a firewall, make sure that packets can actually get to the tunnel.
HTH, Maf.
THX
MfG.
Stefan Walther stefan_walther@gehag-dsk.de dienst.: +4930/89786448 Funk: +49172/3943961
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It is easier to do a job right than to explain why you didn't."
- Martin Van Buren
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Magnus Hagebris -
Stefan_Walther@gehag-dsk.de