[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] ipsec freeswan - connection established successfully, but packets are dropped ...

Hello List,
I am using SuSE 8.2 on two systems, together with freeswan ipsec.
Both systems run: 

kernel 2.4.20-4GB
freeswan 1.99_0.9.23

I have configured freeswan successfully with a Server-and-roadwarrior 
setup using Certs. By successfully I mean: in /var/log/messages I find 
a line like
Oct 16 21:54:26 Server ipsec__plutorun: 004 "VPN-ERMER" #2: 
STATE_QUICK_I2: sent QI2, IPsec SA established
or similar after starting ipsec on both systems and there are definitely 
no errors on both servers.
On the server side we have the subnet x.x.89.0 to be accessible, on the 
roadwarrior side (which is connected via dsl) we have the x.x.0.0 
subnet connected. 

My Problem:
When i try to ping from one subnet to the other (of course from a 
different member of the subnet, not the machine running ipsec), the 
packets are routed correctly to the ipsec device, but there they 
Server:/ # tcpdump -i ipsec0
tcpdump: listening on ipsec0
22:25:17.996878 > x.x.89.0: icmp: echo request (DF)
22:25:18.996902 > x.x.89.0: icmp: echo request (DF)
22:25:19.996909 > x.x.89.0: icmp: echo request (DF)
no answer is given to the ping and on the other side of the tunnel, 
nothing arrives - this happens to every packet that is sent to the 
tunnel, no matter which port, protocol and destination.
As far as i can see,  the packets are dropped, before they are given to 
Server:/ # ifconfig ipsec0
ipsec0    Link encap:IPIP Tunnel  HWaddr
          inet addr:  Mask:
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:2002 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
I stopped all Firewall rules, and checked the ipsec configuration over 
and over, but i can't find a solution. 
Can anyone help me? 
If you need, I can post both my ipsec.conf files and barfs, but i didn't 
want to cause big traffic. 
Perhaps someone already knows the solution....

Mit freundlichen Grüßen
Markus Feilner
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here