HPE Community
Operating System - Linux
1820488 Members
2053 Online
109624 Solutions
New Discussion юеВ

Re: freeswan NO PING to remote machines, but from remote "yes"

 
'chris'
Super Advisor

тАО01-27-2004 10:46 AM

тАО01-27-2004 10:46 AM

freeswan NO PING to remote machines, but from remote "yes"

hi

I have a big problem with freeswan gateway
on linux SuSE 8.2, connected via ipsec tunnel
to watchguard firewall.
There are 2 interfaces on the linux gateway:
external eth0 with public IP (212.X.X.X) and
internal eth1 with internal IP (192.168.115.1)
my ipsec.conf :
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
forwardcontrol=yes

conn %default
keyingtries=0
disablearrivalcheck=no
authby=secret
#compress=yes
#leftrsasigkey=%dnsondemand
#rightrsasigkey=%dnsondemand

conn roadwarrior
left=%any

conn me-to-anyone
#left=%defaultroute
#right=%opportunistic
#keylife=1h
#rekey=no
# for initiator only OE,
# after putting your key
#leftid=@myhostname.example.com
# uncomment this next line to enable it
# auto=route

conn Firebox1
left=195.X.X.X
leftnexthop=%defaultroute
leftsubnet=192.168.0.0/24
right=212.X.X.X
rightnexthop=%defaultroute
rightsubnet=192.168.115.0/24
leftupdown=/usr/lib/ipsec/_updown_custom
auto=start

The ipsec tunnel is working:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
212.X.X.X * 255.255.255.240 U 0 0 0 eth0
212.X.X.X * 255.255.255.240 U 0 0 0 ipsec0
192.168.0.0 gw.xxx.net 255.255.255.0 UG 0 0 0 ipsec0
192.168.115.0 * 255.255.255.0 U 0 0 0 eth1
default gw.xxx.net 0.0.0.0 UG 0 0 0 eth0

# ipsec verify
Checking your system to see if IPsec was installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
DNS checks.
Looking for forward key for ext [FAILED]
Looking for TXT in reverse map: X.X.X.212.in-addr.arpa [OK]
Does the machine have at least one non-private address [OK]

the problem is I can ping from every remote machine my linux gateway,
but cannot ping from linux gateway watchguard and any remote machine.
firewall is not active at the linux gateway.
ports ANY to ANY and ping are allowed
at watchgurd configuration for linux.

what's wrong ?

kind regards
chris


0 Kudos
Reply
5 REPLIES 5
U.SivaKumar_2
Honored Contributor

тАО01-27-2004 03:51 PM

тАО01-27-2004 03:51 PM

Re: freeswan NO PING to remote machines, but from remote "yes"

Hi,

Run tcpdump icmp and find out whether ping packets actually reach the machine to which you cannot ping.

regards,

U.SivaKumar.
Innovations are made when conventions are broken
0 Kudos
Reply
Jerome Henry
Honored Contributor

тАО01-27-2004 07:43 PM

тАО01-27-2004 07:43 PM

Re: freeswan NO PING to remote machines, but from remote "yes"

Have also an ethereal on Freeswan on trying to ping to see if it's not encrypting icmp 8 packets, which client might not decrypt for reply 0...

J
You can lean only on what resists you...
0 Kudos
Reply
'chris'
Super Advisor

тАО01-28-2004 11:30 AM

тАО01-28-2004 11:30 AM

Re: freeswan NO PING to remote machines, but from remote "yes"

sorry, both cannot help me.

tcpdump icmp shows nothing
and etheral I don't think can help me
in this case.

I think, there is maybe an routing problem.
I've tried already with any route add commands but cannot help either.

any other workstations on the gateway site
can ping any remote machine,
but NOT the gateway.

regards
chris


0 Kudos
Reply
Andy Beal
Frequent Advisor

тАО01-30-2004 05:43 AM

тАО01-30-2004 05:43 AM

Re: freeswan NO PING to remote machines, but from remote "yes"

There is a difference between ICMP echo and ICMP echo-reply, something maybe filtering out only ICMP echo and not echo-reply. It doesn't indicate a routing problem, because to reply to an icmp request the route tables are generally used to find the next hop to the initiator of the ping.

Andy
0 Kudos
Reply
'chris'
Super Advisor

тАО02-01-2004 12:27 AM

тАО02-01-2004 12:27 AM

Re: freeswan NO PING to remote machines, but from remote "yes"

hi

I found out:

with

ping -I Locale_IP Remote_IP

is working !

regards
chris
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.