Hi Markus, Andreas, et all...
I´m gonna do a major re-check on routing... for the n-th time.
My /proc/sys/net/ipv4 files are ok ... ip_forward=1 and
rp_filter=0.
In some doc I read that this communication has to work before I start ipsec... but that could only happen if I mask the packets. Should I try this before bringing up the ipsec?
About freeswan lists... I read a lot of emails at the archive but many of them with similar problems are unanswered... I just didn´t feel like posting one more there.
Thank you people!
EdK
Markus Feilner
Ed,
You could check the following: Is the routing between the subnets correct ? Do the packets arrive at the eth-Interface of your source GW ? Is forwarding switched on at the GW ?
Andreas (...)
A) I'm not quite sure if routing is correct, but ipsec works one-way (if it's initiated from one side, so i think routing shoud be ok.) forwarding is switched on. here's an extract from tcpdump -i ipsec0 (on the right-hand-Server) ---------------- 14:09:34.824650 217.229.160.84 > 192.168.89.12: icmp: echo request (DF) 14:09:34.852147 192.168.89.12 > 192.168.0.4: icmp: echo request 14:09:34.852393 192.168.0.4 > 192.168.89.12: icmp: echo reply 14:09:35.824675 217.229.160.84 > 192.168.89.12: icmp: echo request (DF) 14:09:35.846827 192.168.89.12 > 192.168.0.4: icmp: echo request 14:09:35.847018 192.168.0.4 > 192.168.89.12: icmp: echo reply 14:09:36.824670 217.229.160.84 > 192.168.89.12: icmp: echo request (DF) 14:09:36.847427 192.168.89.12 > 192.168.0.4: icmp: echo request 14:09:36.847605 192.168.0.4 > 192.168.89.12: icmp: echo reply 14:09:37.824697 217.229.160.84 > 192.168.89.12: icmp: echo request (DF) 14:09:37.851494 192.168.89.12 > 192.168.0.4: icmp: echo request 14:09:37.851698 192.168.0.4 > 192.168.89.12: icmp: echo reply ------------------- As you can see, i managed to have leftside hosts ping to the right side and get answers (ssh works, too). But the other way round, packets are dropped. 217.229.160.84 is my current IP on the right side - is this right? Shouldn't the local IP of the pinging host stand here? route says: -----------------right server-------------- Server:/ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface a.b.c.d * 255.255.255.255 UH 0 0 0 ppp0 a.b.c.d * 255.255.255.255 UH 0 0 0 ipsec0 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 192.168.89.0 * 255.255.255.0 U 0 0 0 ipsec0 default a.b.c.d 0.0.0.0 UG 0 0 0 ppp0 Server:/ # (a.b.c.d is the p-t-p partner of my dsl conn) ------------------------------------------------ ----------------left server-------------------- Server1:/ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface e.f.g.h 0.0.0.0 255.255.255.240 U 0 0 0 eth1 e.f.g.h 0.0.0.0 255.255.255.240 U 0 0 0 ipsec0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 e.f.g.i 0.0.0.0 UG 0 0 0 eth1 Server1:/ # with e.f.g.h the local (fixed) IP of the Subnet and e.f.g.i the IP of Server1. ---------------------------------------------------- and eroute says: -------------right-side------------------ Server:/ # ipsec eroute 4 192.168.0.0/24:0 -> 192.168.89.0/24:0 => tun0x1002@e.f.g.i:0 Server:/ # -------------left-side-------------------- Server1:/ # ipsec eroute 4 192.168.89.0/24:0 -> 192.168.0.0/24:0 => tun0x1004@217.229.160.84:0 Server1:/ # ------------------------------------------- Howerver, pings from a host in subnet 192.168.0.0 (=right) to the left are dropped on interface ipsec0. But not if the connection has been established from left-hand-side. ----------------------------dropped packets--------------- Server:/ # ifconfig ipsec0 ipsec0 Link encap:IPIP Tunnel HWaddr inet addr:217.229.160.84 Mask:255.255.255.255 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:612 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:240 (240.0 b) TX bytes:448 (448.0 b) Server:/ # -------------------------------------------------------------- As you can see, four pakets came from left-side and were answered, but the 612 pings from right to left were dropped. Strange. I'll take a deep look into my Firewall rules, but there should be no such rule preventing that. Are there any kernel runtime parameters concerning this? I have all rp_filter = 0, ip_forward=1 - and what do i need more? Any help is welcome! -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here --------------------------------- Yahoo! Mail - o melhor webmail do Brasil. Saiba mais!