[Users] tunnel established but no data

Mirko Mďż˝nninghoff Thu, 14 Aug 2003 12:17:29 -0700

(first: sorry about my english... hope you can guess what i mean, i found this list and i hope to get my problem solved soon - thanks)

Whats wrong ?

I have 2 machines configured with Freeswan 1.99. They have to be
ipsec-tunnel for the lan's behind them and they should act as default
gateway for internet connections at the same time. The logs say that the
vpn-connection is successful- internetgateway works without problems-
routing works, but theres not one byte going through the tunnel from lan1 to
lan2.

machine1
--------------
[ipsec.conf]

config setup
forwardcontrol=yes
fragicmp=yes
interfaces="ipsec0=eth1:0" # 2 sdsl gateways available eth0:1 is right
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes

conn %default
type=tunnel
keyingtries=0
compress=yes
authby=rsasig

conn tunnel1
left=212.29.14.14 # maschine 2
leftsubnet=192.168.7.0/24 # lan 2
leftnexthop=212.29.14.13 # router 2
[EMAIL PROTECTED]
leftrsasigkey=0sA...usw....
right=212.25.38.38 # maschine1
rightsubnet=192.168.6.0/24 # lan 1
rightnexthop=212.25.38.37 # router 1
[EMAIL PROTECTED]
rightrsasigkey=0sA...usw...
auto=add

[iptables]

# Generated by iptables-save v1.2.7a on Fri Aug 1 09:38:28 2003
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -d ! 192.168.7.0/255.255.255.0 -o eth1 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.2.7a on Fri Aug 1 09:38:28 2003
*mangle
:PREROUTING ACCEPT [9:1046]
:INPUT ACCEPT [9:1046]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:2572]
:POSTROUTING ACCEPT [12:2572]
COMMIT
# Generated by iptables-save v1.2.7a on Fri Aug 1 09:38:28 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth0 -j ACCEPT
COMMIT
# Completed on Fri Aug 1 09:38:28 2003

Maschine 2
-------------
[ipsec.conf]

config setup
forwardcontrol=yes
fragicmp=yes
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes

conn %default
type=tunnel
keyingtries=0
compress=yes
authby=rsasig

conn tunnel1
left=212.29.14.14 # maschine 2
leftsubnet=192.168.7.0/24 # lan 2
leftnexthop=212.29.14.13 # router 2
[EMAIL PROTECTED]
leftrsasigkey=0sA...usw....
right=212.25.38.38 # maschine1
rightsubnet=192.168.6.0/24 # lan 1
rightnexthop=212.25.38.37 # router 1
[EMAIL PROTECTED]
rightrsasigkey=0sA...usw...
auto=add

[iptables]

# Generated by iptables-save v1.2.7a on Fri Aug 1 09:38:28 2003
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -d ! 192.168.6.0/255.255.255.0 -o eth1 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.2.7a on Fri Aug 1 09:38:28 2003
*mangle
:PREROUTING ACCEPT [9:1046]
:INPUT ACCEPT [9:1046]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:2572]
:POSTROUTING ACCEPT [12:2572]
COMMIT
# Generated by iptables-save v1.2.7a on Fri Aug 1 09:38:28 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth0 -j ACCEPT
COMMIT
# Completed on Fri Aug 1 09:38:28 2003

ipsec auto --up tunnel1 (on one of the machines) :

ipsec auto --up tunnel1
104 "tunnel1" #1: STATE_MAIN_I1: initiate
106 "tunnel1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "tunnel1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "tunnel1" #1: STATE_MAIN_I4: ISAKMP SA established
112 "tunnel1" #2: STATE_QUICK_I1: initiate
004 "tunnel1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established

-the added routes are correct
-ipforwarding is activated in the kernel

-i know i have to ping from lan1 to lan2 not from the vpn-gateways directly,
but it does not work

tcpdump -n -i ipsec0
tcpdump: listening on ipsec0
19:01:48.689325 192.168.6.8 > 192.168.7.65: icmp: echo request
19:01:53.696334 192.168.6.8 > 192.168.7.65: icmp: echo request
..usw...
tcpdump on the other side shows nothing

both machines redhat (9 and 7.3) and freeswan 1.99 installed as rpm's fitting each kernel version

please help !
thanks much,

Mirko

[Users] tunnel established but no data

Reply via email to