On Wed, 2003-02-26 at 17:16, Kenneth E. Lussier wrote: > On Wed, 2003-02-26 at 15:03, Cole Tuininga wrote: > > > But not via the VPN: > > > > traceroute 192.168.2.1 > > traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 38 byte packets > > 1 * * * > > (etc) > > What about from the subnet to the gateway?
I'm not sure if you mean the closer gateway or the further one, but from 192.168.1.68: $ traceroute 192.168.1.1 traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 38 byte packets 1 192.168.1.1 (192.168.1.1) 0.445 ms 0.194 ms 0.173 ms $ traceroute 192.168.2.1 traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 38 byte packets 1 192.168.1.1 (192.168.1.1) 0.340 ms 0.181 ms 0.161 ms 2 * * * (*sputter* *cough* *choke*) > > > 2) 192.168.1.0/24-to-opposite gateway > > > 3) 192.168.2.0/24-to-opposite gateway > > > > You're basically saying to just add these two in? > > Yes. Ok - so here's what the appropriate sections of my ipsec.conf look like now: conn panam-cole-ss left = 63.127.199.26 leftsubnet = 192.168.2.0/24 leftnexthop = 63.127.199.25 # RSA 2192 bits inside Sat Feb 22 04:28:58 2003 leftrsasigkey=0sAQNkta3s7v3B [snip] right = 209.187.117.100 rightsubnet = 192.168.1.0/24 rightnexthop = 209.187.117.65 # RSA 2192 bits deb-box Tue Feb 25 13:13:11 2003 rightrsasigkey=0sAQPBb4MhWjn [snip] auto = start conn panam-cole-gg left = 63.127.199.26 leftnexthop = 63.127.199.25 # RSA 2192 bits inside Sat Feb 22 04:28:58 2003 leftrsasigkey=0sAQNkta3s7v3B [snip] right = 209.187.117.100 rightnexthop = 209.187.117.65 # RSA 2192 bits deb-box Tue Feb 25 13:13:11 2003 rightrsasigkey=0sAQPBb4MhWjn [snip] auto = start conn panam-cole-gs left = 63.127.199.26 leftnexthop = 63.127.199.25 # RSA 2192 bits inside Sat Feb 22 04:28:58 2003 leftrsasigkey=0sAQNkta3s7v3Bv [snip] right = 209.187.117.100 rightsubnet = 192.168.1.0/24 rightnexthop = 209.187.117.65 # RSA 2192 bits deb-box Tue Feb 25 13:13:11 2003 rightrsasigkey=0sAQPBb4MhWjnp9 [snip] auto = start conn panam-cole-sg left = 63.127.199.26 leftsubnet = 192.168.2.0/24 leftnexthop = 63.127.199.25 # RSA 2192 bits inside Sat Feb 22 04:28:58 2003 leftrsasigkey=0sAQNkta3s7v3B [snip] right = 209.187.117.100 rightnexthop = 209.187.117.65 # RSA 2192 bits deb-box Tue Feb 25 13:13:11 2003 rightrsasigkey=0sAQPBb4MhWjnp9Y4 [snip] auto = start After setting these up and activating them, initially, my ssh connection to the remote gateway (63.127.199.26) stalls for a minute or two and then comes back. Routing tables look like this: 192.168.1.1: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 63.127.199.26 209.187.117.65 255.255.255.255 UGH 0 0 0 ipsec0 209.187.117.64 0.0.0.0 255.255.255.192 U 0 0 0 eth1 209.187.117.64 0.0.0.0 255.255.255.192 U 0 0 0 ipsec0 192.168.2.0 209.187.117.65 255.255.255.0 UG 0 0 0 ipsec0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 209.187.117.65 0.0.0.0 UG 0 0 0 eth1 192.168.2.1: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 209.187.117.100 63.127.199.25 255.255.255.255 UGH 0 0 0 ipsec0 63.127.199.24 0.0.0.0 255.255.255.252 U 0 0 0 eth0 63.127.199.24 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 63.127.199.25 255.255.255.0 UG 0 0 0 ipsec0 0.0.0.0 63.127.199.25 0.0.0.0 UG 0 0 0 eth0 > > > You can try > > > forcing a route between the two gateways, which might help. Can you send > > > me the output of a pluto barf? (BTW... Who *NAMES* these things??? ;-) > > > > A barf from when? Startup? When I try to send ICMP packets through? > > TCP packets? > > C. All of the above. ;-) I'll generate this in a little bit and mail it to Kenny off list. Anybody else masochistic ... er ... interested enough in looking at the logs can email me and I'll be happy to send a copy. > It looks like the requests are going out, but the response is not coming > back. You may want to run tcpdump without specifying an interface to see > even more of the traffic. From this it looks like the pings are going > out to the box but are not routed back properly. Ok, this time around, I'm doing a: # tcpdump -i any | grep icmp >From 192.168.1.68, I attempt to ping 192.168.1.69. Here are the tcpdump results: 08:55:36.694803 192.168.1.68 > 192.168.2.69: icmp: echo request (DF) 08:55:36.694985 192.168.1.68 > 192.168.2.69: icmp: echo request (DF) 08:55:36.748865 192.168.2.69 > 192.168.1.68: icmp: echo reply 08:55:37.687780 192.168.1.68 > 192.168.2.69: icmp: echo request (DF) 08:55:37.687896 192.168.1.68 > 192.168.2.69: icmp: echo request (DF) 08:55:37.737399 192.168.2.69 > 192.168.1.68: icmp: echo reply [continues on as long as I ping] Is there a way to get tcpdump to output which interface it's seeing these packets on? Or do I just have to run tcpdump on each interface? Also, am I correct in interpreting the above as the reply is coming back from 192.168.2.69 through the vpn, but for some reason I'm not actually seing the response on my workstation at 192.168.1.68? > > pinging to an internal ip on my home network (192.168.2.69) yielded > > similar results. > > It shouldn't have. You should get a response if they are on the same > subnet. I was doing it from my work network. > > > > Did I give all necessary info? > > > > > > So far, so good... Like I said earlier, if you could sent me a full > > > pluto barf, that would help (it will be quite long, too). Also, if you > > > kill the connection and start it up again, the output of the connection > > > starting from both syslogs would help. > > > > How big is this going to be? Would it be more appropriate to send off > > list or is it ok to send it on list? > > The barf output can be quite large. Sometime upwards of 1 or 2 MB. > Probably best to send it off list. I'll try to generate this soon and send it along. Thanks for the help so far Kenny. -- "Lottery: A tax on people who are bad at math." Cole Tuininga Lead Developer Code Energy, Inc [EMAIL PROTECTED] PGP Key ID: 0x43E5755D _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss