vpn trouble
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Wed Jun 23 08:45:23 UTC 2010
On Wed, Jun 23, 2010 at 10:37:18AM +0200, ralf at dzie-ciuch.pl wrote:
[...]
> > Do you also have later some logs like:
> > <date>: INFO : IPsec-SA established: ESP/Tunnel <IPs> <SPI>
> >
>
> Yes I got:
>
> 2010-06-23 10:18:06: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel
> 95.x.x.x[0]->78.x.x.x[0] spi=224712000(0xd64d540)
> 2010-06-23 10:18:06: INFO: IPsec-SA established: ESP/Tunnel
> 95.x.x.x[0]->78.x.x.x[0] spi=224712000(0xd64d540)
> 2010-06-23 10:18:06: INFO: IPsec-SA established: ESP/Tunnel
> 78.x.x.x[0]->95.x.x.x[0] spi=3926551409(0xea0a6b71)
> 2010-06-23 10:25:30: DEBUG: (proto_id=ESP spisize=4 spi=00000000
> spi_p=00000000 encmode=Tunnel reqid=0:0)
> 2010-06-23 10:25:30: DEBUG: pfkey GETSPI sent: ESP/Tunnel
> 95.x.x.x[0]->78.x.x.x[0]
> 2010-06-23 10:25:30: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel
> 95.x.x.x[0]->78.x.x.x[0] spi=126966409(0x7915a89)
>
> Is it good?
Looks like, but if you still can't ping, you still have an issue
somewhere :-)
First, check that you now have ESP packets going out from your IPsec
gate when you try to ping.
Then, usual issues at that step are:
- something on the way blocks ESP packets. Solution may be to force
NAT-T (add "nat_traversal force;" line in remote section).
- IPsec peers has some filtering rules/ACLs which blocks your traffic
after IPsec.
- Peer does not have a default route, or somethinng like that which
prevents it to reply to you.
Anyways, the best tool now to see what happens is tcpdump.... on
peer's side !!!!
Yvan.
More information about the freebsd-net
mailing list