From: Dominik <d2...@do...> - 2008-10-23 13:31:40
|
My network is: A --- eth --- B (NAT) --- internet --- C A - 192.168.0.2 B - 192.168.0.1 and external IP C - IP A and B are both desktop computers C is a server PROBLEM: when I use "B" only I can easily access "C" via the internet, but when I turn on "A" all packets crash: all traffic between "B" and "C", and "A" and "C" stops. "B" has: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -i eth0 -A INPUT -s "C" -d "B" -p udp --dport 500 -j ACCEPT iptables -i eth0 -A INPUT -s "B" -d "C" -p udp --dport 500 -j ACCEPT iptables -i eth0 -A INPUT -s "C" -d "B" -p 50 -j ACCEPT iptables -i eth0 -A INPUT -s "B" -d "C" -p 50 -j ACCEPT iptables -i eth0 -A INPUT -s "C" -d "B" -p 51 -j ACCEPT iptables -i eth0 -A INPUT -s "B" -d "C" -p 51 -j ACCEPT I suppose it'd be iptables configuration is wrong but I have no clue. I struggle with it for ages! I'll appreciate any help. Thank you. My ipsec.conf is: spdadd B C any -P out ipsec esp/tunnel/B-C/require; spdadd C B any -P in ipsec esp/tunnel/C-B/require; RACOON.CONF: path pre_shared_key "/etc/racoon/psk.txt"; log notify; remote anonymous { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address; lifetime time 2 min; # sec,min,hour initial_contact on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 2 min; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } |
From: <ips...@do...> - 2008-10-23 13:34:20
|
My network is: A --- eth --- B (NAT) --- internet --- C A - 192.168.0.2 B - 192.168.0.1 and external IP C - IP A and B are both desktop computers C is a server PROBLEM: when I use "B" only I can easily access "C" via the internet, but when I turn on "A" all packets crash: all traffic between "B" and "C", and "A" and "C" stops. "B" has: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -i eth0 -A INPUT -s "C" -d "B" -p udp --dport 500 -j ACCEPT iptables -i eth0 -A INPUT -s "B" -d "C" -p udp --dport 500 -j ACCEPT iptables -i eth0 -A INPUT -s "C" -d "B" -p 50 -j ACCEPT iptables -i eth0 -A INPUT -s "B" -d "C" -p 50 -j ACCEPT iptables -i eth0 -A INPUT -s "C" -d "B" -p 51 -j ACCEPT iptables -i eth0 -A INPUT -s "B" -d "C" -p 51 -j ACCEPT I suppose it'd be iptables configuration is wrong but I have no clue. I struggle with it for ages! I'll appreciate any help. Thank you. My ipsec.conf is: spdadd B C any -P out ipsec esp/tunnel/B-C/require; spdadd C B any -P in ipsec esp/tunnel/C-B/require; RACOON.CONF: path pre_shared_key "/etc/racoon/psk.txt"; log notify; remote anonymous { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address; lifetime time 2 min; # sec,min,hour initial_contact on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 2 min; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } |
From: VANHULLEBUS Y. <va...@fr...> - 2008-10-23 13:44:34
|
On Thu, Oct 23, 2008 at 03:02:13PM +0200, ips...@do... wrote: > > My network is: > > > A --- eth --- B (NAT) --- internet --- C > > > A - 192.168.0.2 > B - 192.168.0.1 and external IP > C - IP > > A and B are both desktop computers > C is a server > > PROBLEM: > when I use "B" only I can easily access "C" via the internet, > but when I turn on "A" all packets crash: all traffic between "B" and "C", > and "A" and "C" stops. > > > "B" has: > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > iptables -i eth0 -A INPUT -s "C" -d "B" -p udp --dport 500 -j ACCEPT > iptables -i eth0 -A INPUT -s "B" -d "C" -p udp --dport 500 -j ACCEPT > iptables -i eth0 -A INPUT -s "C" -d "B" -p 50 -j ACCEPT > iptables -i eth0 -A INPUT -s "B" -d "C" -p 50 -j ACCEPT > iptables -i eth0 -A INPUT -s "C" -d "B" -p 51 -j ACCEPT > iptables -i eth0 -A INPUT -s "B" -d "C" -p 51 -j ACCEPT > > > > I suppose it'd be iptables configuration is wrong but I have no clue. > > I struggle with it for ages! I'll appreciate any help. Thank you. So you only have ONE IPsec tunnel, between B and C, and traffic from A is tunneled when it reaches B ? If that's right, you may start by changing the size of packets sent from A through the tunnel. You can directly reduce MTU on A's NIC, or change tcpmss on the fly on B (netfilter can do that easilly). Try again with a quite low value (let's say 1000 bytes), and if that solves your problem, increases it again until you have a good idea of the limit in your setup. Yvan. |
From: Dominik S. <d2...@do...> - 2008-10-23 14:25:53
|
> So you only have ONE IPsec tunnel, between B and C, and traffic from A > is tunneled when it reaches B ? > > If that's right, you may start by changing the size of packets sent > from A through the tunnel. > You can directly reduce MTU on A's NIC, or change tcpmss on the fly on > B (netfilter can do that easilly). > > Try again with a quite low value (let's say 1000 bytes), and if that > solves your problem, increases it again until you have a good idea of > the limit in your setup. > > > Yvan. Thank you. I will try to do it. But is the rest of my configs ok? I still don't know how it should be here: THIS: spdadd 79.187.*.* 79.189.*.* any -P out ipsec esp/tunnel/79.187.*.*-79.189.*.*/require; spdadd 79.189.*.* 79.187.*.* any -P in ipsec esp/tunnel/79.189.*.*-79.187.*.*/require; OR THIS: #spdadd 192.168.0.0/24 192.168.0.0/24 any -P out ipsec # esp/tunnel/79.187.*.*-79.189.*.*/require; #spdadd 192.168.0.0/24 192.168.0.0/24 any -P in ipsec # esp/tunnel/79.189.*.*-79.187.*.*/require; ? Merci |
From: VANHULLEBUS Y. <va...@fr...> - 2008-10-23 14:54:35
|
On Thu, Oct 23, 2008 at 04:24:26PM +0200, Dominik Szmek wrote: [....] > Thank you. I will try to do it. But is the rest of my configs ok? > I still don't know how it should be here: > > THIS: > > spdadd 79.187.*.* 79.189.*.* any -P out ipsec > esp/tunnel/79.187.*.*-79.189.*.*/require; > > spdadd 79.189.*.* 79.187.*.* any -P in ipsec > esp/tunnel/79.189.*.*-79.187.*.*/require; > > OR THIS: > > #spdadd 192.168.0.0/24 192.168.0.0/24 any -P out ipsec > # esp/tunnel/79.187.*.*-79.189.*.*/require; > > #spdadd 192.168.0.0/24 192.168.0.0/24 any -P in ipsec > # esp/tunnel/79.189.*.*-79.187.*.*/require; None will work: the first one is for "host to host", mostly done in transport mode (and which is not what you want if I understood correctly), the second one is almost what you want to do, but it will also NOT work, as you have the same network on both endpoints. Yvan. |
From: Dominik <d2...@do...> - 2008-10-24 13:36:36
|
> A --- eth --- B (NAT) --- internet --- C > None will work: the first one is for "host to host", mostly done in > transport mode (and which is not what you want if I understood > correctly), the second one is almost what you want to do, but it will > also NOT work, as you have the same network on both endpoints. > > > Yvan. Thank you. So now I have this: spdadd 192.168.3.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/B.B.B.B-C.C.C.C/require; spdadd 192.168.0.0/24 192.168.3.0/24 any -P in ipsec esp/tunnel/C.C.C.C-B.B.B.B/require; And I have two more doubts: 1. tcpdump at B and C shows unencrypted packets only. Is it ok? 2. DEBUG: no such a SA found: ESP/Tunnel B.B.B.B[0]->C.C.C.C[0] is it ok? Thank you, Dominik |
From: Dominik <d2...@do...> - 2008-10-28 13:34:32
|
> A --- eth --- B (NAT) --- internet --- C > None will work: the first one is for "host to host", mostly done in > transport mode (and which is not what you want if I understood > correctly), the second one is almost what you want to do, but it will > also NOT work, as you have the same network on both endpoints. > > > Yvan. Thank you. So now I have this: spdadd 192.168.3.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/B.B.B.B-C.C.C.C/require; spdadd 192.168.0.0/24 192.168.3.0/24 any -P in ipsec esp/tunnel/C.C.C.C-B.B.B.B/require; And I have two more doubts: 1. tcpdump at B and C shows unencrypted packets only. Is it ok? 2. DEBUG: no such a SA found: ESP/Tunnel B.B.B.B[0]->C.C.C.C[0] is it ok? Thank you, Dominik |
From: Dominik <d2...@do...> - 2008-10-31 08:25:32
|
> A --- eth --- B (NAT) --- internet --- C > None will work: the first one is for "host to host", mostly done in > transport mode (and which is not what you want if I understood > correctly), the second one is almost what you want to do, but it will > also NOT work, as you have the same network on both endpoints. > > > Yvan. Could anyone help me to resolve my doubts? Thank you spdadd 192.168.3.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/B.B.B.B-C.C.C.C/require; spdadd 192.168.0.0/24 192.168.3.0/24 any -P in ipsec esp/tunnel/C.C.C.C-B.B.B.B/require; doubts: 1. tcpdump at B and C shows unencrypted packets only. Is it ok? 2. log shows: DEBUG: no such a SA found: ESP/Tunnel B.B.B.B[0]->C.C.C.C[0] is it ok? Thank you, Dominik |
From: VANHULLEBUS Y. <va...@fr...> - 2008-10-31 08:36:31
|
On Fri, Oct 31, 2008 at 09:24:17AM +0100, Dominik wrote: > spdadd 192.168.3.0/24 192.168.0.0/24 any -P out ipsec > esp/tunnel/B.B.B.B-C.C.C.C/require; > > spdadd 192.168.0.0/24 192.168.3.0/24 any -P in ipsec > esp/tunnel/C.C.C.C-B.B.B.B/require; Yep. > doubts: > > 1. tcpdump at B and C shows unencrypted packets only. Is it ok? On which NIC are you doing the tcpdump ? On "internal" NIC (the one which have 192.168.x.x address), you should only see unencrypted packets. On external NIC (B.B.B.B or C.C.C.C) you should only see ESP packets (or UDP 4500 packets if NAT-T used) between your 2 public interfaces. > 2. log shows: DEBUG: no such a SA found: ESP/Tunnel B.B.B.B[0]->C.C.C.C[0] > > is it ok? Logs probably says other things :-) Do you have something like "IPsec SA established" in your logs ? Does a "setkey -D" command on gates shouw you active SAs ? Yvan. |
From: Dominik <d2...@do...> - 2008-10-31 15:23:42
|
yes, both ends have required #!/usr/local/sbin/setkey -f flush; spdflush; spdadd 192.168.0.0/24 192.168.3.0/24 any -P out ipsec esp/tunnel/B.B.B.B-C.C.C.C/require; spdadd 192.168.3.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/C.C.C.C-B.B.B.B/require; |
From: Dominik <d2...@do...> - 2008-10-31 09:16:45
|
> > doubts: > > > > 1. tcpdump at B and C shows unencrypted packets only. Is it ok? > > On which NIC are you doing the tcpdump ? > On "internal" NIC (the one which have 192.168.x.x address), you should > only see unencrypted packets. > > On external NIC (B.B.B.B or C.C.C.C) you should only see ESP packets > (or UDP 4500 packets if NAT-T used) between your 2 public interfaces. the thing is that they are still unencrypred on external (B.B.B.B or C.C.C.C). > > 2. log shows: DEBUG: no such a SA found: ESP/Tunnel > > B.B.B.B[0]->C.C.C.C[0] > > > > is it ok? > > Logs probably says other things :-) > > Do you have something like "IPsec SA established" in your logs ? > Does a "setkey -D" command on gates shouw you active SAs ? > sometimes it says: "IPsec SA established" also setkey -D sometimes is empty, sometimes is active. It is strange. # setkey -D No SAD entries. # setkey -PD 192.168.3.0/24[any] 192.168.0.0/24[any] any in prio def ipsec esp/tunnel/B.B.B.B-C.C.C.C/require created: Oct 30 12:19:59 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=448 seq=1 pid=17795 refcnt=1 192.168.0.0/24[any] 192.168.3.0/24[any] any out prio def ipsec esp/tunnel/C.C.C.C-B.B.B.B/require created: Oct 30 12:19:59 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=441 seq=2 pid=17795 refcnt=1 192.168.3.0/24[any] 192.168.0.0/24[any] any fwd prio def ipsec esp/tunnel/B.B.B.B-C.C.C.C/require created: Oct 30 12:19:59 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=458 seq=3 pid=17795 refcnt=1 Oct 31 10:12:27 localhost racoon: DEBUG: hmac(modp1024) Oct 31 10:12:27 localhost racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. Oct 31 10:12:27 localhost racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 Oct 31 10:12:27 localhost racoon: DEBUG: getsainfo pass #2 Oct 31 10:12:27 localhost racoon: DEBUG: my interface: 192.168.1.1 (eth2) Oct 31 10:12:27 localhost racoon: DEBUG: my interface: 192.168.0.1 (eth1) Oct 31 10:12:27 localhost racoon: DEBUG: my interface: B.B.B.B (eth0) Oct 31 10:12:27 localhost racoon: DEBUG: my interface: 127.0.0.1 (lo) Oct 31 10:12:27 localhost racoon: DEBUG: configuring default isakmp port. Oct 31 10:12:27 localhost racoon: DEBUG: 4 addrs are configured successfully Oct 31 10:12:27 localhost racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=6) Oct 31 10:12:27 localhost racoon: INFO: B.B.B.B[500] used as isakmp port (fd=7) Oct 31 10:12:27 localhost racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=8) Oct 31 10:12:27 localhost racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=9) Oct 31 10:12:27 localhost racoon: DEBUG: pk_recv: retry[0] recv() Oct 31 10:12:27 localhost racoon: DEBUG: get pfkey X_SPDDUMP message Oct 31 10:12:27 localhost racoon: DEBUG: pk_recv: retry[0] recv() Oct 31 10:12:27 localhost racoon: DEBUG: get pfkey X_SPDDUMP message Oct 31 10:12:27 localhost racoon: DEBUG: sub:0xbfd6bed4: 192.168.0.0/24[0] 192.168.3.0/24[0] proto=any dir=out Oct 31 10:12:27 localhost racoon: DEBUG: db :0x80b9198: 192.168.3.0/24[0] 192.168.0.0/24[0] proto=any dir=in Oct 31 10:12:27 localhost racoon: DEBUG: pk_recv: retry[0] recv() Oct 31 10:12:27 localhost racoon: DEBUG: get pfkey X_SPDDUMP message Oct 31 10:12:27 localhost racoon: DEBUG: sub:0xbfd6bed4: 192.168.3.0/24[0] 192.168.0.0/24[0] proto=any dir=fwd Oct 31 10:12:27 localhost racoon: DEBUG: db :0x80b9198: 192.168.3.0/24[0] 192.168.0.0/24[0] proto=any dir=in Oct 31 10:12:27 localhost racoon: DEBUG: sub:0xbfd6bed4: 192.168.3.0/24[0] 192.168.0.0/24[0] proto=any dir=fwd Oct 31 10:12:27 localhost racoon: DEBUG: db :0x80ba340: 192.168.0.0/24[0] 192.168.3.0/24[0] proto=any dir=out what data should I provide you? THANK YOU Dominik |
From: VANHULLEBUS Y. <va...@fr...> - 2008-10-31 14:36:09
|
On Fri, Oct 31, 2008 at 10:15:27AM +0100, Dominik wrote: [...] > the thing is that they are still unencrypred on external (B.B.B.B or C.C.C.C). What do you see *exactly* ? Your other logs shows that you're running a Linux kernel. There is an old bug in Linux kernel (may be fixed now, I just don't know) which makes tcpdump sees both incoming ESP packet and incoming encapsulated packet. So an host on the way will only see ESP packets, both peers will only see their outgoing ESP packets, but tcpdump on peers will see both peer's incoming ESP packet and encapsulated packet. May it be your problem ? [...] > sometimes it says: "IPsec SA established" So, at least sometime, you have IPsec SAs established.... > also setkey -D sometimes is empty, sometimes is active. It is strange. You should have something when you have some traffic... > # setkey -D > No SAD entries. > # setkey -PD > 192.168.3.0/24[any] 192.168.0.0/24[any] any > in prio def ipsec > esp/tunnel/B.B.B.B-C.C.C.C/require > created: Oct 30 12:19:59 2008 lastused: > lifetime: 0(s) validtime: 0(s) > spid=448 seq=1 pid=17795 > refcnt=1 > 192.168.0.0/24[any] 192.168.3.0/24[any] any > out prio def ipsec > esp/tunnel/C.C.C.C-B.B.B.B/require > created: Oct 30 12:19:59 2008 lastused: > lifetime: 0(s) validtime: 0(s) > spid=441 seq=2 pid=17795 > refcnt=1 > 192.168.3.0/24[any] 192.168.0.0/24[any] any > fwd prio def ipsec > esp/tunnel/B.B.B.B-C.C.C.C/require > created: Oct 30 12:19:59 2008 lastused: > lifetime: 0(s) validtime: 0(s) > spid=458 seq=3 pid=17795 > refcnt=1 Do you also have "require" SPD entries on the other peer ? [....] > what data should I provide you? For example a tcpdump on both peers and a complete racoon's debug (racoon -dd), but be careful: such data will include sensitive informations as preshared keys, etc.. Yvan. |
From: Dominik <d2...@do...> - 2008-10-31 14:51:11
|
It kills me! Yvan, it is not even *established*... This is the whole log after starting racoon. Oct 31 15:43:25 localhost racoon: INFO: caught signal 15 Oct 31 15:43:25 localhost racoon: DEBUG: pk_recv: retry[0] recv() Oct 31 15:43:25 localhost racoon: DEBUG: get pfkey FLUSH message Oct 31 15:43:26 localhost racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) Oct 31 15:43:26 localhost racoon: INFO: @(#)This product linked OpenSSL Oct 31 15:43:26 localhost racoon: INFO: Reading configuration from "/etc/racoon.conf" Oct 31 15:43:26 localhost racoon: DEBUG: call pfkey_send_register for AH Oct 31 15:43:26 localhost racoon: DEBUG: call pfkey_send_register for ESP Oct 31 15:43:26 localhost racoon: DEBUG: call pfkey_send_register for IPCOMP Oct 31 15:43:26 localhost racoon: DEBUG: reading config file /etc/racoon.conf Oct 31 15:43:26 localhost racoon: DEBUG2: lifetime = 120 Oct 31 15:43:26 localhost racoon: DEBUG2: lifebyte = 0 Oct 31 15:43:26 localhost racoon: DEBUG2: encklen=0 Oct 31 15:43:26 localhost racoon: DEBUG2: p:1 t:1 Oct 31 15:43:26 localhost racoon: DEBUG2: 3DES-CBC(5) Oct 31 15:43:26 localhost racoon: DEBUG2: SHA(2) Oct 31 15:43:26 localhost racoon: DEBUG2: 1024-bit MODP group(2) Oct 31 15:43:26 localhost racoon: DEBUG2: pre-shared key(1) Oct 31 15:43:26 localhost racoon: DEBUG2: Oct 31 15:43:26 localhost racoon: DEBUG: hmac(modp1024) Oct 31 15:43:26 localhost racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. Oct 31 15:43:26 localhost racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 Oct 31 15:43:26 localhost racoon: DEBUG: getsainfo pass #2 Oct 31 15:43:26 localhost racoon: DEBUG2: parse successed. Oct 31 15:43:26 localhost racoon: DEBUG: my interface: 192.168.1.1 (eth2) Oct 31 15:43:26 localhost racoon: DEBUG: my interface: 192.168.0.1 (eth1) Oct 31 15:43:26 localhost racoon: DEBUG: my interface: B.B.B.B (eth0) Oct 31 15:43:26 localhost racoon: DEBUG: my interface: 127.0.0.1 (lo) Oct 31 15:43:26 localhost racoon: DEBUG: configuring default isakmp port. Oct 31 15:43:26 localhost racoon: DEBUG: 4 addrs are configured successfully Oct 31 15:43:26 localhost racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=6) Oct 31 15:43:26 localhost racoon: INFO: B.B.B.B[500] used as isakmp port (fd=7) Oct 31 15:43:26 localhost racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=8) Oct 31 15:43:26 localhost racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=9) Oct 31 15:43:26 localhost racoon: DEBUG: pk_recv: retry[0] recv() Oct 31 15:43:26 localhost racoon: DEBUG: get pfkey X_SPDDUMP message Oct 31 15:43:26 localhost racoon: DEBUG2: 02120000 1c000200 01000000 00650000 03000500 ff180000 02000000 c0a80300 00000000 00000000 03000600 ff180000 02000000 c0a80000 00000000 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000200 00000000 00000000 000000a0 8e190b49 00000000 00000000 00000000 08001200 02000100 88020000 00000080 30003200 02020000 00000000 00000000 02000000 4fbb589e 00000000 00000000 02000000 4fbd63c2 00000000 00000000 Oct 31 15:43:26 localhost racoon: DEBUG: pk_recv: retry[0] recv() Oct 31 15:43:26 localhost racoon: DEBUG: get pfkey X_SPDDUMP message Oct 31 15:43:26 localhost racoon: DEBUG2: 02120000 1c000200 02000000 00650000 03000500 ff180000 02000000 c0a80000 00000000 00000000 03000600 ff180000 02000000 c0a80300 00000000 00000000 04000300 00000000 00000000 000000s0 00000000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000200 00000000 00000000 00000000 8e190b49 00000000 00000000 00000000 08001200 02000200 81020000 00000080 30003200 02020000 00000000 00000000 02000000 4fbd63c2 00000000 00000000 02000000 4fbb589e 00000000 00000000 Oct 31 15:43:26 localhost racoon: DEBUG: sub:0xbfbb0d14: 192.168.0.0/24[0] 192.168.3.0/24[0] proto=any dir=out Oct 31 15:43:26 localhost racoon: DEBUG: db :0x80b9fb8: 192.168.3.0/24[0] 192.168.0.0/24[0] proto=any dir=in Oct 31 15:43:26 localhost racoon: DEBUG: pk_recv: retry[0] recv() Oct 31 15:43:26 localhost racoon: DEBUG: get pfkey X_SPDDUMP message Oct 31 15:43:26 localhost racoon: DEBUG2: 02120000 1c000200 00000000 00650000 03000500 ff180000 02000000 c0a80300 00000000 00000000 03000600 ff180000 02000000 c0a80000 00000000 00000000 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 04000200 00000000 00000000 000000s0 8e190b49 00000000 00000000 00000000 08001200 02000300 92020000 00000080 30003200 02020000 00000000 00000000 02000000 4fbb589e 00000000 00000000 02000000 4fbd63c2 00000000 00000000 Oct 31 15:43:26 localhost racoon: DEBUG: sub:0xbfbb0d14: 192.168.3.0/24[0] 192.168.0.0/24[0] proto=any dir=fwd Oct 31 15:43:26 localhost racoon: DEBUG: db :0x80b9fb8: 192.168.3.0/24[0] 192.168.0.0/24[0] proto=any dir=in Oct 31 15:43:26 localhost racoon: DEBUG: sub:0xbfbb0d14: 192.168.3.0/24[0] 192.168.0.0/24[0] proto=any dir=fwd Oct 31 15:43:26 localhost racoon: DEBUG: db :0x80ba258: 192.168.0.0/24[0] 192.168.3.0/24[0] proto=any dir=out Oct 31 15:44:58 localhost kernel: device eth0 entered promiscuous mode |
From: VANHULLEBUS Y. <va...@fr...> - 2008-10-31 15:06:32
|
On Fri, Oct 31, 2008 at 03:49:11PM +0100, Dominik wrote: > > It kills me! > > Yvan, it is not even *established*... This is the whole log after starting > racoon. And you also checked that you have no remaining IPsec SAs (setkey -D output) during that test ? So that means racoons doesn't get any negociation request from kernel (which should happen when you generate traffic from your LAN to peer's LAN), neigher from peer (which should happen when peer's kernel asks it's IKE daemon to negociate some SAs). There is probably "something else" (other IPIP encapsulation ? NAT in prerouting table ? etc....) which prevents packets to match SPD entries.... Yvan. |
From: Dominik <d2...@do...> - 2008-10-31 15:26:49
|
I have only this: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
From: Dominik <d2...@do...> - 2008-10-31 15:32:28
|
This is the network again: A --- eth --- B (NAT) --- internet --- C A - 192.168.3.2 B - 192.168.3.1 and external IP C - IP and LAN 192.168.0.1 *but* "A" is not always on. Sometimes (now) only B and C are operating. So the tunnel should work between them also. Right? |
From: VANHULLEBUS Y. <va...@fr...> - 2008-10-31 16:32:18
|
On Fri, Oct 31, 2008 at 04:31:10PM +0100, Dominik wrote: > This is the network again: > A --- eth --- B (NAT) --- internet --- C > > A - 192.168.3.2 > B - 192.168.3.1 and external IP > C - IP and LAN 192.168.0.1 > > *but* "A" is not always on. Sometimes (now) only B and C are operating. So the > tunnel should work between them also. Right? Probably not: if you generate some traffic from B to "anything but it's local LAN", it will probably use it's public IP address. So you'll have packets like: B.B.B.B->192.168.0.1, which won't match IPsec policy. Yvan. |
From: Dominik <d2...@do...> - 2008-10-31 16:45:10
|
> Probably not: if you generate some traffic from B to "anything but > it's local LAN", it will probably use it's public IP address. > > So you'll have packets like: B.B.B.B->192.168.0.1, which won't match > IPsec policy. > So this could be the problem... So how should I configurate it to use it like I told you before? A --- eth --- B (NAT) --- internet --- C, where B is also standalone desktop/router using ext IP. Dominik |
From: Dominik <d2...@do...> - 2008-11-03 09:29:57
|
> Probably not: if you generate some traffic from B to "anything but > it's local LAN", it will probably use it's public IP address. > > So you'll have packets like: B.B.B.B->192.168.0.1, which won't match > IPsec policy. > So this could be the problem... So how should I configurate it to use it like I told you before? A --- eth --- B (NAT) --- internet --- C, where B is also standalone desktop/router using ext IP. Dominik |
From: Dominik <d2...@do...> - 2008-11-05 13:30:00
|
> Probably not: if you generate some traffic from B to "anything but > it's local LAN", it will probably use it's public IP address. > > So you'll have packets like: B.B.B.B->192.168.0.1, which won't match > IPsec policy. > You are very close to the problem and this could help me a lot! THANKS! How should I configurate it to use it like I told you before? A --- eth --- B (NAT) --- internet --- C, where B is also standalone desktop/router using ext IP. Dominik |