[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] ipsec freeswan - connection established successfully, but packets are dropped ...



Am Freitag, 17. Oktober 2003 15:34 schrieb Elite Mentor:
> Hi Markus, Andreas, et all...
>
> I´m gonna do a major re-check on routing... for the n-th time.
> My /proc/sys/net/ipv4 files are ok ... ip_forward=1 and
> rp_filter=0.
>
> In some doc I read that this communication has to work before I start
> ipsec... but that could only happen if I mask the packets. Should I
> try this before bringing up the ipsec?
>
> About freeswan lists... I read a lot of emails at the archive but
> many of them with similar problems are unanswered... I just didn´t
> feel like posting one more there.
>

that's right, I even PMed to some of the folks there, but I'm still 
waiting...
let's see, we'll get this thing workng, won't we?
!!!


> Thank you people!
>
> EdK





>
> Markus Feilner <lists@xxxxxxxxxxxxxx> wrote:
>
> Am Freitag, 17. Oktober 2003 08:28 schrieb Andreas Baetz:
> > Ed,
> >
> > You could check the following:
> > Is the routing between the subnets correct ?
> > Do the packets arrive at the eth-Interface of your source GW ?
> > Is forwarding switched on at the GW ?
> >
> > Andreas
>
> (...)
>
> A) I'm not quite sure if routing is correct, but ipsec works one-way
> (if it's initiated from one side, so i think routing shoud be ok.)
> forwarding is switched on.
> here's an extract from tcpdump -i ipsec0 (on the right-hand-Server)
> ----------------
> 14:09:34.824650 217.229.160.84 > 192.168.89.12: icmp: echo request
> (DF) 14:09:34.852147 192.168.89.12 > 192.168.0.4: icmp: echo request
> 14:09:34.852393 192.168.0.4 > 192.168.89.12: icmp: echo reply
> 14:09:35.824675 217.229.160.84 > 192.168.89.12: icmp: echo request
> (DF) 14:09:35.846827 192.168.89.12 > 192.168.0.4: icmp: echo request
> 14:09:35.847018 192.168.0.4 > 192.168.89.12: icmp: echo reply
> 14:09:36.824670 217.229.160.84 > 192.168.89.12: icmp: echo request
> (DF) 14:09:36.847427 192.168.89.12 > 192.168.0.4: icmp: echo request
> 14:09:36.847605 192.168.0.4 > 192.168.89.12: icmp: echo reply
> 14:09:37.824697 217.229.160.84 > 192.168.89.12: icmp: echo request
> (DF) 14:09:37.851494 192.168.89.12 > 192.168.0.4: icmp: echo request
> 14:09:37.851698 192.168.0.4 > 192.168.89.12: icmp: echo reply
> -------------------
> As you can see, i managed to have leftside hosts ping to the right
> side and get answers (ssh works, too). But the other way round,
> packets are dropped. 217.229.160.84 is my current IP on the right
> side - is this right? Shouldn't the local IP of the pinging host
> stand here?
>
> route says:
> -----------------right server--------------
> Server:/ # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> a.b.c.d * 255.255.255.255 UH 0 0 0
> ppp0
> a.b.c.d * 255.255.255.255 UH 0 0 0
> ipsec0
> 10.0.0.0 * 255.255.255.0 U 0 0 0
> eth0
> 192.168.0.0 * 255.255.255.0 U 0 0 0
> eth1
> 192.168.89.0 * 255.255.255.0 U 0 0 0
> ipsec0
> default a.b.c.d 0.0.0.0 UG 0 0 0
> ppp0
> Server:/ #
> (a.b.c.d is the p-t-p partner of my dsl conn)
> ------------------------------------------------
> ----------------left server--------------------
> Server1:/ # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> e.f.g.h 0.0.0.0 255.255.255.240 U 0 0 0 eth1
> e.f.g.h 0.0.0.0 255.255.255.240 U 0 0 0 ipsec0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> ipsec0
> 192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 0.0.0.0 e.f.g.i 0.0.0.0 UG 0 0 0 eth1
> Server1:/ #
> with e.f.g.h the local (fixed) IP of the Subnet and e.f.g.i the IP of
> Server1.
> ----------------------------------------------------
>
> and eroute says:
> -------------right-side------------------
> Server:/ # ipsec eroute
> 4 192.168.0.0/24:0 -> 192.168.89.0/24:0 =>
> tun0x1002@xxxxxxx:0
> Server:/ #
> -------------left-side--------------------
>
> Server1:/ # ipsec eroute
> 4 192.168.89.0/24:0 -> 192.168.0.0/24:0 =>
> tun0x1004@xxxxxxxxxxxxxx:0
> Server1:/ #
> -------------------------------------------
>
> Howerver, pings from a host in subnet 192.168.0.0 (=right) to the
> left are dropped on interface ipsec0. But not if the connection has
> been established from left-hand-side.
> ----------------------------dropped packets---------------
>
> Server:/ # ifconfig ipsec0
> ipsec0 Link encap:IPIP Tunnel HWaddr
> inet addr:217.229.160.84 Mask:255.255.255.255
> UP RUNNING NOARP MTU:16260 Metric:1
> RX packets:4 errors:0 dropped:0 overruns:0 frame:0
> TX packets:4 errors:0 dropped:612 overruns:0 carrier:0
> collisions:0 txqueuelen:10
> RX bytes:240 (240.0 b) TX bytes:448 (448.0 b)
> Server:/ #
> --------------------------------------------------------------
> As you can see, four pakets came from left-side and were answered,
> but the 612 pings from right to left were dropped.
> Strange.
> I'll take a deep look into my Firewall rules, but there should be no
> such rule preventing that.
> Are there any kernel runtime parameters concerning this?
> I have all rp_filter = 0, ip_forward=1 - and what do i need more?
>
> Any help is welcome!

-- 
Mit freundlichen Grüßen
Markus Feilner

Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here