Hi Leo,
Glad to hear that it's working for you now and I'm sure Lindsay will be glad to hear that you found the documentation "rocking". :-) We probably should mention the "ping -I" thing in the docs if that's not already in there. stig _____ From: Leonardo Lima [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 04, 2007 2:38 PM To: Stig Thormodsrud Subject: Re: [Vyatta-users] VPN traffic issue: no traffic flow. Hello, Stig. I was building the answer for your email when I tried to ping from a host in the subnet, and it worked. I totally missed the ping -I. So, it must be working since the beginning... So, it's all working as it should! Thanks for the fastest reply ever, and such a great product! The documentation now is rocking. I followed the Config. guide and it contained almost everything I needed. I had to look for a way to disable PFS and set DH groups, but it's now working. Thanks again! Leo. On 9/4/07, Stig Thormodsrud <[EMAIL PROTECTED]> wrote: Hi Leo, Did you have vpn working in an earlier release and having issues with the upgrade or are you debugging this for the first time? Do "show vpn ike sa" and "show vpn ipsec sa" show the tunnel as up? Did you try doing the ping from the router or from a host in the subnet being tunneled? If from the router you might have to use "ping -I" to be able to specify a source address in the tunneled subnet. Is nat involved? stig _____ From: [EMAIL PROTECTED] [mailto: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] On Behalf Of Leonardo Lima Sent: Tuesday, September 04, 2007 1:21 PM To: [EMAIL PROTECTED] Subject: [Vyatta-users] VPN traffic issue: no traffic flow. Hello, all. I've upgraded to VC2.2 so I could use the VPN features to its fullest. But my tunnel, after it's successfully estabilished, doesn't transfer any data. I can see it's connected on both ends (Vyatta and a Linksys), by means of: "IPSec Process Running PID: 4855 1 Active IPsec Tunnels" and "000 #2: " peer-1.2.3.4-tunnel-1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 6731s; newest IPSEC; eroute owner" in Vyatta side, and " [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected" on my router. Pinging from Vyatta the router's internal IP gets me destination unreachable. So I don't get traffic flow. As Vyatta uses Openswan, I went to " http://wiki.openswan.org/index.php/Openswan/DebuggingTCPDump <http://wiki.openswan.org/index.php/Openswan/DebuggingTCPDump> " and saw that I have a situation D problem. It says that's because of misconfiguration (I don't think so, as the tunnel is OK by the debug output) or firewall. I thought that it could be a firewall issue, so I asked my ISP to make my machine wide open to the internet so I could avoid that kind of problem, and so it is. And still no good. It also says to capture packets from my ipsec0 iface, but I couldn't find any. Capturing data that was transiting in my active ipsec interface eth0 while I was pinging the 'right' router internal IP, I saw ARP requests that weren't being fulfilled: "19:12: 30.275395 arp who-has 192.168.0.101 tell 5.6.7.8" (5.6.7.8 being the eth0 public IP) Issuing a netstat -nr told me that the the iface to 192.168.0.0/24 is eth0 (I thought that should be ipsec0?): Destination Gateway Genmask Flags MSS Window irtt Iface 5.6.7.8 0.0.0.0 255.255.255.240 U 0 0 0 eth0 192.168.0.0 0.0.0.0 <http://0.0.0.0> 255.255.255.0 U 0 0 0 eth0 192.168.10.0 0.0.0.0 <http://0.0.0.0> 255.255.255.0 U 0 0 0 eth1 And an ifconfig didn't get me any ipsec iface, only eth0, eth1 and lo. So, my question is: did anyone get VPN working in Vyatta 2.2? Does it show an ipsec ifsace on Linux (outside xorpsh)? If not, how can I proceed my debug, where should I look? Thanks in advance. Any pointer is very welcome. Leo
_______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
