Menu
▾
▴
[Ipsec-tools-commits] [ ipsec-tools-Support Requests-1584213 ] Packets does not pass through tunnel
|
From: SourceForge.net <no...@so...> - 2006-10-25 07:46:16
|
Support Requests item #1584213, was opened at 2006-10-25 11:46 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=1584213&group_id=74601 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Configuration Group: racoon Status: Open Priority: 5 Private: No Submitted By: peter_teslenko (peter_teslenko) Assigned to: Nobody/Anonymous (nobody) Summary: Packets does not pass through tunnel Initial Comment: I have two GWs. One on debian and one on ubuntu. Look at http://www.mcicb.ru/~peter/sgorod-zhef-VPN.jpg On debian uskov@sgorod-gw:~/apps$ apt-cache policy racoon racoon: Installed: 1:0.6.6-3 Candidate: 1:0.6.6-3 Version Table: *** 1:0.6.6-3 0 990 ftp://ftp.fi.debian.org testing/main Packages 400 ftp://ftp.fi.debian.org unstable/main Packages 100 /var/lib/dpkg/status 1:0.5.2-1sarge1 0 600 ftp://ftp.fi.debian.org stable/main Packages uskov@sgorod-gw:~/apps$ apt-cache policy ipsec-tools ipsec-tools: Installed: 1:0.6.6-3 Candidate: 1:0.6.6-3 Version Table: *** 1:0.6.6-3 0 990 ftp://ftp.fi.debian.org testing/main Packages 400 ftp://ftp.fi.debian.org unstable/main Packages 100 /var/lib/dpkg/status 1:0.5.2-1sarge1 0 600 ftp://ftp.fi.debian.org stable/main Packages Kernels uskov@sgorod-gw:~/apps$ dpkg -l|grep linux-image ii linux-image-2.6-686 2.6.17+2 Linux kernel 2.6 image on PPro/Celeron/PII/P ii linux-image-2.6.17-2-686 2.6.17-9 Linux 2.6.17 image on PPro/Celeron/PII/PIII/ ii linux-image-2.6.18-1-686 2.6.18-3 Linux 2.6.18 image on PPro/Celeron/PII/PIII/ On Ununtu peter@gw:~$ apt-cache policy racoon racoon: Installed: 1:0.6.6-1ubuntu1 Candidate: 1:0.6.6-1ubuntu1 Version table: *** 1:0.6.6-1ubuntu1 0 450 http://fi.archive.ubuntu.com edgy/main Packages 100 /var/lib/dpkg/status 1:0.6.5-4ubuntu1 0 600 http://fi.archive.ubuntu.com dapper/main Packages peter@gw:~$ apt-cache policy ipsec-tools ipsec-tools: Installed: 1:0.6.6-1ubuntu1 Candidate: 1:0.6.6-1ubuntu1 Version table: *** 1:0.6.6-1ubuntu1 0 450 http://fi.archive.ubuntu.com edgy/main Packages 100 /var/lib/dpkg/status 1:0.6.5-4ubuntu1 0 600 http://fi.archive.ubuntu.com dapper/main Packages peter@gw:~$ dpkg -l|grep linux-image rc linux-image-2.6.15-26-386 2.6.15-26.47 Linux kernel image for version 2.6.15 on 386 ii linux-image-2.6.15-27-386 2.6.15-27.48 Linux kernel image for version 2.6.15 on 386 ii linux-image-2.6.17-10-generic 2.6.17-10.33 Linux kernel image for version 2.6.17 on x86 ii linux-image-386 2.6.15.25 Linux kernel image on 386. Conf files from ubuntu. ============================ /etc/racoon/racoon.conf ============================ path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/cert"; log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 87.237.xxx.xxx [500]; isakmp_natt 87.237.xxx.xxx [4500]; } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; natt_keepalive 10sec; } remote 84.52.xxx.xxx { exchange_mode main,aggressive; nat_traversal on; doi ipsec_doi; situation identity_only; initial_contact on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.7.0/24 any address 192.168.1.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } ================================== /etc/ipsec-tools.conf ================================== #!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; spdadd 192.168.7.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/87.237.xxx.xxx-84.52.xxx.xxx/require; spdadd 192.168.1.0/24 192.168.7.0/24 any -P in ipsec esp/tunnel/84.52.xxx.xxx-87.237.xxx.xxx/require; spdadd 192.168.1.0/24 192.168.7.0/24 any -P fwd ipsec esp/tunnel/84.52.xxx.xxx-87.237.xxx.xxx/require; ================================== Syslog from ubuntu in attached file tcpdump from ubuntu (ping 192.168.1.21 from 192.168.7.32) root@gw:/etc/iptables# tcpdump -n -i eth0 not port 22 and not port 53 and not arp and not ipx tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:46:16.969172 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 11, length 64 17:46:17.969172 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 12, length 64 17:46:18.969184 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 13, length 64 17:46:19.969196 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 14, length 64 17:46:20.969207 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 15, length 64 17:46:21.969233 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 16, length 64 17:46:22.969214 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 17, length 64 17:46:23.969288 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 18, length 64 17:46:24.969208 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 19, length 64 17:46:25.969243 IP 87.237.xxx.xxx > 192.168.1.21: ICMP echo request, id 8993, seq 20, length 64 Last correctly working tunnel 2.6.15 - 2.6.15 Why? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=541483&aid=1584213&group_id=74601 |
