Re: ipsec SA Established but can not communicate thru tunnel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Check if there are any firewall rules blocking the packets.
Try a different approach to test

ping -I your_local_ip 192.168.100.202

your_local_Ip = Example 192.168.0.1 ip of your real interface



-- 
========================================
Marcos Aurelio Rodrigues (DEiGrAtiA-33)
<deigratia33@xxxxxxxxx>
CCNA, MCSO
Mirabilia laudo semprer, Dei
========================================

On Feb 4, 2008 11:25 AM, nilesh vaghela <nileshj.vaghela@xxxxxxxxx> wrote:

> We have established ipsec connection between two network with live ip.
>
> As you can see below it says SA established.
>
> But I can not communicate between network or server even.
>
> Followings are the checkpoints.
> Any suggestions are welcom
>
>
> [root@server1 ~<999>]#route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.100.0   200.64.85.1     255.255.255.0   UG    0      0        0
> eth0
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0
> eth1
> 219.64.85.0     0.0.0.0         255.255.255.0   U     0      0        0
> eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
> eth1
> 0.0.0.0         200.64.85.1     0.0.0.0         UG    0      0        0
> eth0
>
> #traceroute 192.168.100.202
> traceroute to 192.168.100.202 (192.168.100.202), 30 hops max, 40 byte
> packets
>  1  210.211.249.1.bb-static.vsnl.net.in (210.211.249.1)  24.965 ms
> 26.355 ms  27.420 ms
>  2  172.31.6.1 (172.31.6.1)  29.516 ms  30.131 ms  31.216 ms
>  3  203.200.225.253.static.vsnl.net.in (203.200.225.253)  32.303 ms
> 33.504 ms  34.446 ms
>  4  * * *
>  5  * * *
>  6  * * *
>
> This is what I want to established.
>
>
> 192.168.0.0/24===200.64.85.154---200.64.85.1...200.64.85.1---200.64.85.229===192.168.100.0/24
> ;
> erouted; eroute owner: #2
>
>
> [root@server1 ~]# ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 219.64.85.154
> 000 interface eth0/eth0 219.64.85.154
> 000 interface eth1/eth1 192.168.0.254
> 000 interface eth1/eth1 192.168.0.254
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "net-to-net":
>
> 192.168.0.0/24===200.64.85.154---200.64.85.1...200.64.85.1---200.64.85.229===192.168.100.0/24
> ;
> erouted; eroute owner: #2
> 000 "net-to-net":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "net-to-net":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "net-to-net":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> interface: eth0; encap: esp;
> 000 "net-to-net":   newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "net-to-net":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 27886s; newest IPSEC; eroute owner
> 000 #2: "net-to-net" esp.b90bb34b@xxxxxxxxxxxxx
> esp.d81ee274@xxxxxxxxxxxxx tun.0@xxxxxxxxxxxxx tun.0@xxxxxxxxxxxxx
> 000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 2693s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000
>
>
> [root@server1 ~]# service ipsec status
> IPsec running  - pluto pid: 23062
> pluto pid 23062
> 1 tunnels up
> You have new mail in /var/spool/mail/root
> [root@server1 ~]#
>
> [root@server1 ~]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan Uopenswan-2.4.9-31.el5/K2.6.18-53.el5.028stab051.1 (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> Checking for RSA private key (/etc/ipsec.d/hostkey.secrets)     [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]
> [root@server1 ~]#
>
>
> --
> Nilesh Vaghela
> ElectroMech
> Redhat Channel Partner and Training Partner
> 74, Nalanda Complex, Satellite Rd, Ahmedabad
> 25, The Emperor, Fatehgunj, Baroda.
> www.electromech.info
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux