[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] IP Tunnel in only one direction possible



Hi Peter,

I'm a little cofused. to get things right:

> tcpdump told me:
> eth0 (internal) ping request was send (from machine net2 to machine net1)

NET2 pings NET1: GW2(eth0) logs an icmp request ?

> ipsec0 ping request (from fw/gw net2 external IP to machine net1 (internal
> ip)) ! maybe here is the fault!!

NET2 pings NET1: GW2(ipsec0) logs an icmp request to NET1?

> ppp0 (nothing)

what about eth1? It is absolut correct to have tcpdump report pakets on
ipsec0 to some internal ip at NET1. At the same time the physical
Interface with the same ip as the logical ipsec0 should log some
ESP-pakets.


> tcpdump example from the not-working GW NET2  - ipsec0 if
> 10:21:04.304526 192.168.100.1 > 192.168.101.239: icmp: echo request
> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo reply -> this is
> the ping request from net1 to net2

The above is NET1 pings NET2, which works. What does it show for NET2
pings Net1. From the above I would guess only the icmp: echo request but
no echo reply?


> tcpdump example from the working GW NET1  - ipsec0 if
> 08:51:04.985548 unknown ip 0
> 08:51:05.057368 unknown ip 0
> 08:51:05.185805 unknown ip 0
> 08:51:05.256899 unknown ip 0
> 08:51:05.386109 unknown ip 0
> 08:51:05.458005 unknown ip 0
> 08:51:05.586372 unknown ip 0
> 08:51:05.659086 unknown ip 0
> 08:51:05.786648 unknown ip 0

This is NET2 pings NET1? 

The Post/Prerouting tabel is viewd by iptables -t nat -L

Maybe you take a look at your ipsec:
ipsec eroute           lists your ipsec routings
ipsec auto --status    lists the status of your connections


Greetings, Thomas


> 
> |-----Ursprüngliche Nachricht-----
> |Von: Thomas Kerkau [mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx]
> |Gesendet: Mittwoch, 23. April 2003 09:07
> |An: telest@xxxxxxx
> |Cc: suse-security@xxxxxxxx
> |Betreff: Re: [suse-security] IP Tunnel in only one direction possible
> |
> |
> |Hi Peter,
> |
> |this midght be due to yout iptables configuration. It is unlikley to be
> |due to your ipsec or routing config, cause it works in one direction. I
> |would try to take down iptables, if possible. This is not secure but a
> |quick test. Maybe you take a look at your iptables configuration first,
> |and compare FW1 and FW2, keeping in mind that FW2 has an external ethX
> |and a pppX interface.
> |Some further ideas:
> |Maybe you try to use tcpdump on FW2, looking for the pakets
> |from Net2 or
> |enable loging for all pakets with iptables.
> |
> |Hope this helps a little but it is very dificult to guess what might be
> |wrong,
> |
> |Thomas
> |
> |
> |> I have a big problem, that today the VPN tunnel is only usable in one
> |> direction.
> |>
> |> NET(1) --- FW1/VPN Gateway ---- internet ---- FW2 / VPN
> |Gateway ---- NET(2)
> |>
> |> I can ping from NET1 to NET2 and get replies. ( I also can
> |use different
> |> other thinks like pcanywhere, file access to the pc's on net2,...)
> |>
> |> I cannot ping from NET2 to NET1. There is nothing in the
> |logfiles. I can
> |> only see on the interface statistik that the 4 ping packets
> |are dropped.
> |>
> |> I use on both sides:
> |> Freeswan 1.98b
> |> iptables
> |> Suse Linux 8.0
> |>
> |> FW1: static IP Adresses , SDSL Connection
> |> FW2: dynamic IP Adresses, SDSL PPPoE Connection
> |>
> |> I'm really stucked and help will be appreaciated.
> |>
> |> Thanks
> |>
> |> Peter
> |>
> |> --
> |> +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> |> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
> |>
> |> --
> |> Check the headers for your unsubscription address
> |> For additional commands, e-mail: suse-security-help@xxxxxxxx
> |> Security-related bug reports go to security@xxxxxxx, not here
> |
> |--
> |www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
> |  -> CyberOne Award
> |  -> Winner Crossroads A-List Award USA
> |  -> IBM Solution Excellence Award winner for Hot Java Solution
> |  -> European Information Society Technologies Prize Winner
> |  -> Made with ArcStyler: http://www.io-software.com/customers
> |  -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
> |
> |----- < iO > ---------------------------------------------------------
> |Interactive Objects Software GmbH
> |mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
> |http://www.io-software.com
> |Basler Strasse 65, D-79100 Freiburg, Germany
> |Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
> |----------------------------------------------------------------------
> |
> 
> --
> +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
> 
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here

--
www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
  -> CyberOne Award
  -> Winner Crossroads A-List Award USA
  -> IBM Solution Excellence Award winner for Hot Java Solution
  -> European Information Society Technologies Prize Winner
  -> Made with ArcStyler: http://www.io-software.com/customers
  -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com

----- < iO > ---------------------------------------------------------
Interactive Objects Software GmbH
mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
http://www.io-software.com
Basler Strasse 65, D-79100 Freiburg, Germany
Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
----------------------------------------------------------------------

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here