Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#40 Packets does not pass through tunnel

racoon
closed
nobody
5
2009-01-16
2006-10-25
peter_teslenko
No

I have two GWs. One on debian and one on ubuntu.
Look at http://www.mcicb.ru/~peter/sgorod-zhef-VPN.jpg

On debian

uskov@sgorod-gw:~/apps$ apt-cache policy racoon
racoon:
Installed: 1:0.6.6-3
Candidate: 1:0.6.6-3
Version Table:
*** 1:0.6.6-3 0
990 ftp://ftp.fi.debian.org testing/main Packages
400 ftp://ftp.fi.debian.org unstable/main Packages
100 /var/lib/dpkg/status
1:0.5.2-1sarge1 0
600 ftp://ftp.fi.debian.org stable/main Packages

uskov@sgorod-gw:~/apps$ apt-cache policy ipsec-tools
ipsec-tools:
Installed: 1:0.6.6-3
Candidate: 1:0.6.6-3
Version Table:
*** 1:0.6.6-3 0
990 ftp://ftp.fi.debian.org testing/main Packages
400 ftp://ftp.fi.debian.org unstable/main Packages
100 /var/lib/dpkg/status
1:0.5.2-1sarge1 0
600 ftp://ftp.fi.debian.org stable/main Packages

Kernels
uskov@sgorod-gw:~/apps$ dpkg -l|grep linux-image
ii linux-image-2.6-686 2.6.17+2
Linux kernel 2.6 image on PPro/Celeron/PII/P
ii linux-image-2.6.17-2-686 2.6.17-9
Linux 2.6.17 image on PPro/Celeron/PII/PIII/
ii linux-image-2.6.18-1-686 2.6.18-3
Linux 2.6.18 image on PPro/Celeron/PII/PIII/

On Ununtu

peter@gw:~$ apt-cache policy racoon
racoon:
Installed: 1:0.6.6-1ubuntu1
Candidate: 1:0.6.6-1ubuntu1
Version table:
*** 1:0.6.6-1ubuntu1 0
450 http://fi.archive.ubuntu.com edgy/main Packages
100 /var/lib/dpkg/status
1:0.6.5-4ubuntu1 0
600 http://fi.archive.ubuntu.com dapper/main
Packages
peter@gw:~$ apt-cache policy ipsec-tools
ipsec-tools:
Installed: 1:0.6.6-1ubuntu1
Candidate: 1:0.6.6-1ubuntu1
Version table:
*** 1:0.6.6-1ubuntu1 0
450 http://fi.archive.ubuntu.com edgy/main Packages
100 /var/lib/dpkg/status
1:0.6.5-4ubuntu1 0
600 http://fi.archive.ubuntu.com dapper/main
Packages

peter@gw:~$ dpkg -l|grep linux-image
rc linux-image-2.6.15-26-386 2.6.15-26.47
Linux kernel image for version 2.6.15 on 386
ii linux-image-2.6.15-27-386 2.6.15-27.48
Linux kernel image for version 2.6.15 on 386
ii linux-image-2.6.17-10-generic 2.6.17-10.33
Linux kernel image for version 2.6.17 on x86
ii linux-image-386 2.6.15.25
Linux kernel image on 386.

Conf files from ubuntu.

/etc/racoon/racoon.conf

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/cert";

log debug;

padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

listen
{
isakmp 87.237.xxx.xxx [500];
isakmp_natt 87.237.xxx.xxx [4500];
}

timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count
to send.
interval 20 sec; # maximum interval to
resend.
persend 1; # the number of packets
per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
natt_keepalive 10sec;
}

remote 84.52.xxx.xxx {
exchange_mode main,aggressive;
nat_traversal on;
doi ipsec_doi;
situation identity_only;
initial_contact on;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

sainfo address 192.168.7.0/24 any address
192.168.1.0/24 any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

==================================
/etc/ipsec-tools.conf
==================================

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

spdadd 192.168.7.0/24 192.168.1.0/24 any
-P out ipsec
esp/tunnel/87.237.xxx.xxx-84.52.xxx.xxx/require;

spdadd 192.168.1.0/24 192.168.7.0/24 any
-P in ipsec
esp/tunnel/84.52.xxx.xxx-87.237.xxx.xxx/require;

spdadd 192.168.1.0/24 192.168.7.0/24 any
-P fwd ipsec
esp/tunnel/84.52.xxx.xxx-87.237.xxx.xxx/require;

==================================
Syslog from ubuntu in attached file

tcpdump from ubuntu (ping 192.168.1.21 from 192.168.7.32)
root@gw:/etc/iptables# tcpdump -n -i eth0 not port 22
and not port 53 and not arp and not ipx
tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture
size 96 bytes
17:46:16.969172 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 11, length 64
17:46:17.969172 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 12, length 64
17:46:18.969184 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 13, length 64
17:46:19.969196 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 14, length 64
17:46:20.969207 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 15, length 64
17:46:21.969233 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 16, length 64
17:46:22.969214 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 17, length 64
17:46:23.969288 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 18, length 64
17:46:24.969208 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 19, length 64
17:46:25.969243 IP 87.237.xxx.xxx > 192.168.1.21: ICMP
echo request, id 8993, seq 20, length 64

Last correctly working tunnel

2.6.15 - 2.6.15

Why?

Discussion

  • peter_teslenko
    peter_teslenko
    2006-10-25

     
    Attachments
  • peter_teslenko
    peter_teslenko
    2006-10-25

     
    Attachments
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

     
  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed