[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] ipsec freeswan - connection established successfully, but packets are dropped ...



Am Montag, 20. Oktober 2003 07:57 schrieb Andreas Baetz:
> On Saturday 18 October 2003 12:28, Markus Feilner wrote:
> > Am Freitag, 17. Oktober 2003 12:18 schrieb Frank Stuehmer:
> > > Hi Markus,
> > >
> > > > I stopped all Firewall rules, and checked the ipsec
> > > > configuration over and over, but i can't find a solution.
> > > > Can anyone help me?
> > >
> > > do you have in /etc/ipsec.conf lines like this:
> > > leftupdown=/usr/lib/ipsec/_updown.x509 ?
> > > In _updown.x509 routing and firewalling for ipsec connection will
> > > be set. With Suse-Firewall this configuration works fine for me.
> > >
> > > Frank Stuehmer
> >
> > Yes, I do. But that's not enough.
> > And I tried with or without  the gw entry in line 55 - as described
> > on
> > https://nso.freeswan.nl/archives/users/2003-September/msg00227.html
> > this proved to be necessary for the routing.
> > Now ping left-net-host -> right-net-host works, but ping
> > right-net-host -> left-net-host doesn't.
> > Packets are dropped on left-net-VPN-Server's interface ipsec0.
> > but why? It answers correctly on a connection initiated from
> > left-side-host, but can not ping to the other side...
> > ????
>
> So your packets go from right-net-host over right-net-gw through the
> tunnel to left-net-gw, there they are dropped ?
> Are they dropped by a firewall rule ?
>
> Andreas
No, definititely not.
This happens both with SuSEFirewall activated and without. 
[I have entered ports 50,51 and 500 (on both systems) in 
/etc/sysconfig/SuSEfirewall2.]
Behaviour is the same, with or without Firewall.
the one thing I don't understand is: 
why does it work one-way? why can I see and access the Samba-Server here 
from left hosts, but why can't I see the left hosts from here?
It can't be:

- Network Config
- Authorization - because the Connection works.
- Routing - because it works one-way and back.
- Firewall - because it shows the same with or without.

Can it be:

a) DSL - i have a dial-in DSL line with ppp0 as interface with non-local 
IP.
b) Routing, even though it seems inpossible? what's the parameter 
interfaces=%defaultroute good for? should my ppp0 interface be listed 
there?
thanks a lot!!!
-- 
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here