From: Mathew P. <mat...@ya...> - 2006-02-24 06:01:23
|
I'm a little confused about if this is a policy problem or a routing problem. I have a network to network tunnel up from a linux gateway to a cisco pix. I can ping hosts on the cisco side from the linux gateway through the tunnel but not from a pc behind the linux gateway. I see the encrypted packets going out and the replies coming back in with tcpdump on my WAN (eth0) interface but only outgoing on the LAN (eth1) interface. Any advice or guesses appreciated. Please let me know if more info is required. [root@ip68-226-248-142 network-scripts]# ip route list 192.168.1.128/25 dev eth1 proto kernel scope link src 192.168.1.129 68.226.248.0/24 dev eth0 proto kernel scope link src 68.226.248.142 192.168.128.0/17 via 192.168.1.129 dev eth1 src 192.168.1.129 169.254.0.0/16 dev eth1 scope link default via 68.226.248.1 dev eth0 [root@ip68-226-248-142 network-scripts]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.128 * 255.255.255.128 U 0 0 0 eth1 68.226.248.0 * 255.255.255.0 U 0 0 0 eth0 192.168.128.0 gateway.pwyxil. 255.255.128.0 UG 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 default ip68-226-248-1. 0.0.0.0 UG 0 0 0 eth0 [root@ip68-226-248-142 network-scripts]# setkey -DP 192.168.128.0/17[any] 192.168.1.128/25[any] any in prio def ipsec esp/tunnel/12.166.196.7-68.226.248.142/require created: Feb 23 23:18:47 2006 lastused: Feb 23 23:41:16 2006 lifetime: 0(s) validtime: 0(s) spid=608 seq=4 pid=8524 refcnt=1 192.168.1.128/25[any] 192.168.128.0/17[any] any out prio def ipsec esp/tunnel/68.226.248.142-12.166.196.7/require created: Feb 23 23:18:47 2006 lastused: Feb 23 23:41:16 2006 lifetime: 0(s) validtime: 0(s) spid=601 seq=3 pid=8524 refcnt=1 192.168.128.0/17[any] 192.168.1.128/25[any] any fwd prio def ipsec esp/tunnel/68.226.248.142-12.166.196.7/require created: Feb 23 23:18:47 2006 lastused: Feb 23 23:32:31 2006 lifetime: 0(s) validtime: 0(s) spid=618 seq=2 pid=8524 refcnt=1 (per-socket policy) in none created: Feb 23 23:18:47 2006 lastused: Feb 23 23:58:37 2006 lifetime: 0(s) validtime: 0(s) spid=627 seq=1 pid=8524 refcnt=1 (per-socket policy) out none created: Feb 23 23:18:47 2006 lastused: Feb 23 23:58:37 2006 lifetime: 0(s) validtime: 0(s) spid=636 seq=0 pid=8524 refcnt=1 [root@ip68-226-248-142 network-scripts]# setkey -D 12.166.196.7 68.226.248.142 esp mode=tunnel spi=235650827(0x0e0bbf0b) reqid=0(0x00000000) E: 3des-cbc 4194d82c 9c2d5eca 332a3765 5fd5ddda 65b1358f edd72ec3 A: hmac-sha1 e6c735fc f8a5b36c 465e7d81 fb61f2b9 4abb60a2 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 23 23:18:55 2006 current: Feb 23 23:58:55 2006 diff: 2400(s) hard: 3600(s) soft: 2880(s) last: Feb 23 23:18:56 2006 hard: 0(s) soft: 0(s) current: 1270(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=1 pid=8525 refcnt=0 68.226.248.142 12.166.196.7 esp mode=tunnel spi=842359575(0x32356317) reqid=0(0x00000000) E: 3des-cbc 8ed81fda baa3d627 d298115f 74a0c807 fcafb9d2 03b34c34 A: hmac-sha1 292b8875 8b297e0b a8828cbb f82f4a60 dcece038 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 23 23:18:55 2006 current: Feb 23 23:58:55 2006 diff: 2400(s) hard: 3600(s) soft: 2880(s) last: Feb 23 23:18:56 2006 hard: 0(s) soft: 0(s) current: 2408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=0 pid=8525 refcnt=0 [root@ip68-226-248-142 network-scripts]# --------------------------------- Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. |