From: Eduard G. <edu...@gm...> - 2006-11-22 12:34:49
|
The problem was in the other side! They asked me to configure a GRE tunnel and they were using IPIP encapsulation...may them rot in hell! 2006/11/19, Eduard GV <edu...@gm...>: > Hi all, this may seem a newbie question,=85but I'm stuck=85 > > Brief version: > > How can I watch the contents of an incoming ESP packet (being in the > box that has established the tunnel)? > > Extended version: > > I've been trying to configure a tunnel with a distant office from > which I can't get any kind of information (about their > hardware/software, pings are not allowed, etc.). I only know their > public IP (let's say a.b.c.d) and their tunnel side's IP (1.2.3.4). In > the same way, my IPs are: e.f.g.h and 1.2.3.5. > > We are supposed to be exchanging multicast RIPv2 packets with routing > information about each other side's private ranges. I use the same > machine (e.f.g.h) for tunnelling IPsecuring and routing. But neither > them, nor my router are learning those routes. I can see ESP packets > going in and out of my public interface every 30s, as it is expected > from RIP (I'm receiving and sending RIP messages, but they seem not > to have effect). > > I would like to watch the contents of those packets so that I can see > where the problem is. How can I know if those packets are right? > Should I see unencrypted packets when sniffing the new tun0 interface? > I can see the packets I send, but I can't see any packets coming from > the other side (although ESP packets are arriving). > > > --- The tunnel is made with: > ip tunnel add name tun0 mode gre remote a.b.c.d local e.f.g.h ttl 255 > ifconfig tun0 up 1.2.3.5 netmask 255.255.255.252 pointopoint 1.2.3.4 > mtu 1500 multicast > ---- > IPsec has been properly established (I see ESP messages), though I > obtain a "such policy does not already exist" error (which I don't > think is important,=85right?) > ---racoon.conf > path pre_shared_key "/etc/racoon/psk.txt"; > path certificate "/etc/racoon/certs"; > > listen { > isakmp e.f.g.h [500]; > isakmp_natt e.f.g.h [4500]; > } > > remote a.b.c.d { > exchange_mode main; > peers_identifier address; > my_identifier address; > nat_traversal on; > proposal { > encryption_algorithm des; > hash_algorithm md5; > authentication_method pre_shared_key; > dh_group 1; > lifetime time 10000 sec; > } > generate_policy on; > } > sainfo address e.f.g.h/32[any] any address a.b.c.d/32[any] any { > lifetime time 3600 sec; > encryption_algorithm des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > ---- > |