[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] ipsec freeswan - connection established successfully, but packets are dropped ...

Hi Markus, Andreas, et all...
I´m gonna do a major re-check on routing... for the n-th time.
My /proc/sys/net/ipv4 files are ok ... ip_forward=1 and
In some doc I read that this communication has to work before I start ipsec... but that could only happen if I mask the packets. Should I try this before bringing up the ipsec?
About freeswan lists... I read a lot of emails at the archive but many of them with similar problems are unanswered... I just didn´t feel like posting one more there. 
Thank you people!

Markus Feilner <lists@xxxxxxxxxxxxxx> wrote:
Am Freitag, 17. Oktober 2003 08:28 schrieb Andreas Baetz:
> Ed,
> You could check the following:
> Is the routing between the subnets correct ?
> Do the packets arrive at the eth-Interface of your source GW ?
> Is forwarding switched on at the GW ?
> Andreas
A) I'm not quite sure if routing is correct, but ipsec works one-way (if 
it's initiated from one side, so i think routing shoud be ok.)
forwarding is switched on.
here's an extract from tcpdump -i ipsec0 (on the right-hand-Server)
14:09:34.824650 > icmp: echo request (DF)
14:09:34.852147 > icmp: echo request
14:09:34.852393 > icmp: echo reply
14:09:35.824675 > icmp: echo request (DF)
14:09:35.846827 > icmp: echo request
14:09:35.847018 > icmp: echo reply
14:09:36.824670 > icmp: echo request (DF)
14:09:36.847427 > icmp: echo request
14:09:36.847605 > icmp: echo reply
14:09:37.824697 > icmp: echo request (DF)
14:09:37.851494 > icmp: echo request
14:09:37.851698 > icmp: echo reply
As you can see, i managed to have leftside hosts ping to the right side 
and get answers (ssh works, too). But the other way round, packets are 
dropped. is my current IP on the right side - is this 
right? Shouldn't the local IP of the pinging host stand here?

route says:
-----------------right server--------------
Server:/ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use 
a.b.c.d * UH 0 0 0 
a.b.c.d * UH 0 0 0 
ipsec0 * U 0 0 0 
eth0 * U 0 0 0 
eth1 * U 0 0 0 
default a.b.c.d UG 0 0 0 
Server:/ #
(a.b.c.d is the p-t-p partner of my dsl conn)
----------------left server--------------------
Server1:/ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use 
e.f.g.h U 0 0 0 eth1
e.f.g.h U 0 0 0 ipsec0 U 0 0 0 
ipsec0 U 0 0 0 
eth0 e.f.g.i UG 0 0 0 eth1
Server1:/ #
with e.f.g.h the local (fixed) IP of the Subnet and e.f.g.i the IP of 

and eroute says:
Server:/ # ipsec eroute
4 -> => 
Server:/ #

Server1:/ # ipsec eroute
4 -> => 
Server1:/ #

Howerver, pings from a host in subnet (=right) to the left 
are dropped on interface ipsec0. But not if the connection has been 
established from left-hand-side.
----------------------------dropped packets---------------

Server:/ # ifconfig ipsec0
ipsec0 Link encap:IPIP Tunnel HWaddr
inet addr: Mask:
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:612 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:240 (240.0 b) TX bytes:448 (448.0 b)
Server:/ #
As you can see, four pakets came from left-side and were answered, but 
the 612 pings from right to left were dropped.
I'll take a deep look into my Firewall rules, but there should be no 
such rule preventing that.
Are there any kernel runtime parameters concerning this?
I have all rp_filter = 0, ip_forward=1 - and what do i need more?

Any help is welcome!
Mit freundlichen Grüßen
Markus Feilner
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Yahoo! Mail - o melhor webmail do Brasil. Saiba mais!