On Wed, 2003-02-26 at 17:16, Kenneth E. Lussier wrote:
> On Wed, 2003-02-26 at 15:03, Cole Tuininga wrote:
>
> > But not via the VPN:
> >
> > traceroute 192.168.2.1
> > traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 38 byte packets
> > 1 * * *
> > (etc)
>
> What about from the subnet to the gateway?
I'm not sure if you mean the closer gateway or the further one, but from
192.168.1.68:
$ traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 38 byte packets
1 192.168.1.1 (192.168.1.1) 0.445 ms 0.194 ms 0.173 ms
$ traceroute 192.168.2.1
traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 38 byte packets
1 192.168.1.1 (192.168.1.1) 0.340 ms 0.181 ms 0.161 ms
2 * * *
(*sputter* *cough* *choke*)
> > > 2) 192.168.1.0/24-to-opposite gateway
> > > 3) 192.168.2.0/24-to-opposite gateway
> >
> > You're basically saying to just add these two in?
>
> Yes.
Ok - so here's what the appropriate sections of my ipsec.conf look like
now:
conn panam-cole-ss
left = 63.127.199.26
leftsubnet = 192.168.2.0/24
leftnexthop = 63.127.199.25
# RSA 2192 bits inside Sat Feb 22 04:28:58 2003
leftrsasigkey=0sAQNkta3s7v3B [snip]
right = 209.187.117.100
rightsubnet = 192.168.1.0/24
rightnexthop = 209.187.117.65
# RSA 2192 bits deb-box Tue Feb 25 13:13:11 2003
rightrsasigkey=0sAQPBb4MhWjn [snip]
auto = start
conn panam-cole-gg
left = 63.127.199.26
leftnexthop = 63.127.199.25
# RSA 2192 bits inside Sat Feb 22 04:28:58 2003
leftrsasigkey=0sAQNkta3s7v3B [snip]
right = 209.187.117.100
rightnexthop = 209.187.117.65
# RSA 2192 bits deb-box Tue Feb 25 13:13:11 2003
rightrsasigkey=0sAQPBb4MhWjn [snip]
auto = start
conn panam-cole-gs
left = 63.127.199.26
leftnexthop = 63.127.199.25
# RSA 2192 bits inside Sat Feb 22 04:28:58 2003
leftrsasigkey=0sAQNkta3s7v3Bv [snip]
right = 209.187.117.100
rightsubnet = 192.168.1.0/24
rightnexthop = 209.187.117.65
# RSA 2192 bits deb-box Tue Feb 25 13:13:11 2003
rightrsasigkey=0sAQPBb4MhWjnp9 [snip]
auto = start
conn panam-cole-sg
left = 63.127.199.26
leftsubnet = 192.168.2.0/24
leftnexthop = 63.127.199.25
# RSA 2192 bits inside Sat Feb 22 04:28:58 2003
leftrsasigkey=0sAQNkta3s7v3B [snip]
right = 209.187.117.100
rightnexthop = 209.187.117.65
# RSA 2192 bits deb-box Tue Feb 25 13:13:11 2003
rightrsasigkey=0sAQPBb4MhWjnp9Y4 [snip]
auto = start
After setting these up and activating them, initially, my ssh connection
to the remote gateway (63.127.199.26) stalls for a minute or two and
then comes back.
Routing tables look like this:
192.168.1.1:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
63.127.199.26 209.187.117.65 255.255.255.255 UGH 0 0 0
ipsec0
209.187.117.64 0.0.0.0 255.255.255.192 U 0 0 0
eth1
209.187.117.64 0.0.0.0 255.255.255.192 U 0 0 0
ipsec0
192.168.2.0 209.187.117.65 255.255.255.0 UG 0 0 0
ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 209.187.117.65 0.0.0.0 UG 0 0 0
eth1
192.168.2.1:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
209.187.117.100 63.127.199.25 255.255.255.255 UGH 0 0 0
ipsec0
63.127.199.24 0.0.0.0 255.255.255.252 U 0 0 0
eth0
63.127.199.24 0.0.0.0 255.255.255.252 U 0 0 0
ipsec0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.1.0 63.127.199.25 255.255.255.0 UG 0 0 0
ipsec0
0.0.0.0 63.127.199.25 0.0.0.0 UG 0 0 0
eth0
> > > You can try
> > > forcing a route between the two gateways, which might help. Can you send
> > > me the output of a pluto barf? (BTW... Who *NAMES* these things??? ;-)
> >
> > A barf from when? Startup? When I try to send ICMP packets through?
> > TCP packets?
>
> C. All of the above. ;-)
I'll generate this in a little bit and mail it to Kenny off list. Anybody else
masochistic ... er ... interested enough in looking at the logs can email me and
I'll be happy to send a copy.
> It looks like the requests are going out, but the response is not coming
> back. You may want to run tcpdump without specifying an interface to see
> even more of the traffic. From this it looks like the pings are going
> out to the box but are not routed back properly.
Ok, this time around, I'm doing a: # tcpdump -i any | grep icmp
>From 192.168.1.68, I attempt to ping 192.168.1.69. Here are the tcpdump
results:
08:55:36.694803 192.168.1.68 > 192.168.2.69: icmp: echo request (DF)
08:55:36.694985 192.168.1.68 > 192.168.2.69: icmp: echo request (DF)
08:55:36.748865 192.168.2.69 > 192.168.1.68: icmp: echo reply
08:55:37.687780 192.168.1.68 > 192.168.2.69: icmp: echo request (DF)
08:55:37.687896 192.168.1.68 > 192.168.2.69: icmp: echo request (DF)
08:55:37.737399 192.168.2.69 > 192.168.1.68: icmp: echo reply
[continues on as long as I ping]
Is there a way to get tcpdump to output which interface it's seeing
these packets on? Or do I just have to run tcpdump on each interface?
Also, am I correct in interpreting the above as the reply is coming back
from 192.168.2.69 through the vpn, but for some reason I'm not actually
seing the response on my workstation at 192.168.1.68?
> > pinging to an internal ip on my home network (192.168.2.69) yielded
> > similar results.
>
> It shouldn't have. You should get a response if they are on the same
> subnet.
I was doing it from my work network.
> > > > Did I give all necessary info?
> > >
> > > So far, so good... Like I said earlier, if you could sent me a full
> > > pluto barf, that would help (it will be quite long, too). Also, if you
> > > kill the connection and start it up again, the output of the connection
> > > starting from both syslogs would help.
> >
> > How big is this going to be? Would it be more appropriate to send off
> > list or is it ok to send it on list?
>
> The barf output can be quite large. Sometime upwards of 1 or 2 MB.
> Probably best to send it off list.
I'll try to generate this soon and send it along. Thanks for the help
so far Kenny.
--
"Lottery: A tax on people who are bad at math."
Cole Tuininga
Lead Developer
Code Energy, Inc
[EMAIL PROTECTED]
PGP Key ID: 0x43E5755D
_______________________________________________
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
