Re: [Users] Can't ping although tunnel is up

Tue, 29 Jul 2003 23:40:21 -0700 

-----BEGIN PGP SIGNED MESSAGE-----


On Wed, 30 Jul 2003, Jools wrote:

>  I ran tcpdump and pinged a server on the remote subnet which returned the
>  following on ipsec0
>  
>  01:30:02.403852 80.177.109.245.33650 > 192.168.0.82.ssh: S
>  3369811267:3369811267(0) win 5840 <mss 1460,sackOK,timestamp 1228446
>  0,nop,wscale 0> (DF) [tos 0x10]
>  01:30:05.400258 80.177.109.245.33650 > 192.168.0.82.ssh: S
>  3369811267:3369811267(0) win 5840 <mss 1460,sackOK,timestamp 1228746
>  0,nop,wscale 0> (DF) [tos 0x10]
>  01:30:12.849080 80.177.109.245 > 192.168.0.82: icmp: echo request (DF)
>  01:30:13.859830 80.177.109.245 > 192.168.0.82: icmp: echo request (DF)
>  01:30:14.858942 80.177.109.245 > 192.168.0.82: icmp: echo request (DF)
>  01:30:15.858779 80.177.109.245 > 192.168.0.82: icmp: echo request (DF)
>  01:30:16.858654 80.177.109.245 > 192.168.0.82: icmp: echo request (DF)
>  01:30:17.858567 80.177.109.245 > 192.168.0.82: icmp: echo request (DF)
>  01:30:18.858547 80.177.109.245 > 192.168.0.82: icmp: echo request (DF)

You've created a net to net tunnel. It will only encrypt traffic between
192.168.3.0/24 and 192.168.0.0/24. This ping attempt appears to be originating
from your server's public IP, and so these packets will be discarded.

However, this could be an artifact of the following MASQUERADE rule:

Chain ipsec0_masq (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    5   324 MASQUERADE  all  --  *      *       192.168.3.0/24       192.168.0.0/24

FreeS/WAN will encapsulate packets from the 192.168.3.0/24 subnet; there is no 
need for this rule.

Additionally, you shouldn't MASQUERADE packets intended for a remote 
non-routeable subnet.

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               
destination
*snip*
 3306  188K MASQUERADE  all  --  *      *       192.168.3.0/24       0.0.0.0/0

http://lists.freeswan.org/pipermail/users/2002-August/012918.html

- -- 
Sam Sgro
[EMAIL PROTECTED]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPydmUkOSC4btEQUtAQH3sAP/TLSyD1VBgJkkMU9R89y8k75Wp9r4srxs
tIzVQvrm9gMpyNcO9Sv69pzRpy8ZXiW5IrLaSIReJIYNuifQJo7TF9j1hTKWeWAn
CeLxMpq4/pGDTH8fltukesqq1+pUSERKpBGbiYQNuNl7lkrhdX2iHiCcmlowTiWD
sZXKIPSOvzY=
=8teh
-----END PGP SIGNATURE-----

Reply via email to