[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02513) Re: (KAME-snap 7949) Re: IPsec & tunnel problem

To: <snap-users@xxxxxxxx>
Subject: (usagi-users 02513) Re: (KAME-snap 7949) Re: IPsec & tunnel problem
From: "Barry Irwin" <bvi@xxxxxxxxxxxxxx>
Date: Tue, 19 Aug 2003 17:58:32 +0200
Cc: <usagi-users@xxxxxxxxxxxxxx>
Disposition-notification-to: "Barry Irwin" <bvi@lair.moria.org>
Organization: Moria Research
References: <3F423BE3.6020601@logix.cz> <1061307523.1628.14.camel@kermit>
Reply-to: usagi-users@xxxxxxxxxxxxxx
Resent-date: Wed, 20 Aug 2003 15:24:09 +0900
Resent-from: sekiya@xxxxxxxxxx
Resent-message-id: <200308201524.FMLAAB27595.usagi-users@linux-ipv6.org>
Resent-to: usagi-users@xxxxxxxxxxxxxx (moderated)

Michal,

what you may find very useful in the absence of another test system behind
your gateways is to use the -S (on FreeBSD, should be the same on *BSD, and
Linux may use the -s version iirc)  flag to ping, which allows you to
specify the source address.   I've seen a similar issue to what you are
describing, and concur with Ralf that routing is involved.

Scenario as I see it is that you ping the 192.168.28.1/32 system from your
NETBSD box, this is not a locally connected net, hence the default route is
used, and the IP of the interface connected to the default gateway is used .

See what TCPdump shows up  when you are pinging.  the kernel will only pick
up packets that match the IP policies.

Best of luck

Barry
--
Barry Irwin
bvi@xxxxxxxxx
http://lair.moria.org


----- Original Message ----- 
From: "Ralf Spenneberg" <lists@xxxxxxxxxxxxxx>
To: <snap-users@xxxxxxxx>
Cc: <usagi-users@xxxxxxxxxxxxxx>
Sent: Tuesday, August 19, 2003 5:38 PM
Subject: (KAME-snap 7949) Re: IPsec & tunnel problem


Hi,

Am Die, 2003-08-19 um 17.01 schrieb Michal Ludvig:

> NetBSD 1.6.1
> ----+-------
>      |  10.20.1.16/20 (pcn0), 192.168.16.1/32 (lo0)
>      |
>      |
>      |  10.20.1.28/20 (eth0), 192.168.28.1/32 (lo)
> ----+-------
> Linux 2.6.0-test2

> But when I wanted to make a tunnel between 192.168.16.1/32 and
> 192.168.28.1/32 it didn't work. Racoon was never triggered to create SA
> with the other side (tried to ping 192.168.x.x in both directions, but
> no success).
>
What does your routing table say? Without testing anything I would
suppose the following:
When you ping 192.168.16.1 on the Linux box, the Linux box picks the
10.20.1.28 IP address as source IP address.
Thus the packet would not trigger racoon.
Try the following:
Create a new routing table and a rule whenever a packet goes to
192.168.16.1 it should use that table
Then create a route inside this table, that uses 192.168.28.1 as a
source address.

I have not tested it, so your mileage may vary, but it should work ;-)

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto      http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Follow-Ups:
- (usagi-users 02514) Re: (KAME-snap 7950) Re: IPsec & tunnel problem
  - From: Ralf Spenneberg

References:
- (usagi-users 02512) Re: (KAME-snap 7948) IPsec & tunnel problem
  - From: Ralf Spenneberg

Prev by Date: (usagi-users 02512) Re: (KAME-snap 7948) IPsec & tunnel problem
Next by Date: (usagi-users 02514) Re: (KAME-snap 7950) Re: IPsec & tunnel problem
Previous by thread: (usagi-users 02512) Re: (KAME-snap 7948) IPsec & tunnel problem
Next by thread: (usagi-users 02514) Re: (KAME-snap 7950) Re: IPsec & tunnel problem
Index(es):
- Date
- Thread