Re: 26sec problems - Kelly Scroggins

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Kelly Scroggins <kelly@cliffhanger.com>
To: netfilter@lists.netfilter.org
Subject: Re: 26sec problems
Date: Wed, 6 Apr 2005 07:05:40 -0500	[thread overview]
Message-ID: <20050406120540.GC12451@nlb0> (raw)
In-Reply-To: <42539B3D.2090407@century.cz>

The first thing that comes to mind is the rules
defining the traffic that will be encrypted, has
to 'match', or rather, be mirrored.

In other words ...

  FWA will permit traffic from host-A to host-Z
  FWB will permit traffic from host-Z to host-A

You may already have them configured this way, but
it's the first thing I'd check.

kelly



Quoting Petr Titera <P.Titera@century.cz>:
        Hello,
        
           I have a problem with 26sec tunnel setup. My network configuration 
        looks as follows:
        
               
                 |
                 |eth0
             +-------+                                      +-------+
         eth1|       |eth2                              eth0|       |eth1
         ----|  FWA  |------------IPSEC VPN-----------------|  FWB  |----
             |       |                                      |       |
             +-------+                                      +-------+
        
        Both firewalls have kernel version 2.6.10.
        
        I have ADSL modem connected on eth0 and eth2 at FWA site. I've setted up 
        VPN tunel between both firewals and there fun begins.
        
           I can ping the computers in internal networks from both direction.
        
           Users from unternal network of FWB can connect to computers in 
        internal network of FWA without any problem, but
        users from FWA network cannot conect at all.
        
           When I trace traffic from FWA network to FWB network I see strange 
        things happen. SYN packets are transfered, but when real communication 
        starts I see this:
        
           on FWA:eth1 I see packets to other computer
           on FWA:eth2 I see packets going to tunnel and packets going from 
        tunnel without a change
           on FWB:eth0 I see packets from tunnel without a change
           on FWB:eth1 I see communication in both direction
        
        BUT on FWA:eth1 I see packets from other direction as going from another 
        port than I have connected:
        
        This is communication as I see it on FWA:eth1 port. Note change from 
        http port to tcpmux port.
        
        09:23:46.372945 IP 192.168.17.200.60424 > 192.168.1.200.http: S 
        3072626488:3072626488(0) win 5840 <mss 1460,sackOK,timestamp 3092376420 
        0,nop,wscale 0>
        09:23:46.485595 IP 192.168.1.200.http > 192.168.17.200.60424: S 
        2915082851:2915082851(0) ack 3072626489 win 65535 <mss 1460,nop,wscale 
        0,nop,nop,timestamp 0 0,nop,nop,sackOK>
        09:23:46.485715 IP 192.168.17.200.60424 > 192.168.1.200.http: . ack 1 
        win 5840 <nop,nop,timestamp 3092376478 0>
        09:23:51.963654 IP 192.168.17.200.60424 > 192.168.1.200.http: F 1:1(0) 
        ack 1 win 5840 <nop,nop,timestamp 3092379283 0>
        09:23:52.065913 IP 192.168.1.200.tcpmux > 192.168.17.200.60424: . ack 
        3072626490 win 65535 <nop,nop,timestamp 10752655 3092379283>
        09:23:52.066028 IP 192.168.17.200.60424 > 192.168.1.200.tcpmux: R 
        3072626490:3072626490(0) win 0
        09:23:52.171022 IP 192.168.1.200.tcpmux > 192.168.17.200.60424: F 0:0(0) 
        ack 1 win 65535 <nop,nop,timestamp 10752656 3092379283>
        
        Any idea what is wrong?
        
        
        Petr Titera
        

-- 

   /\                                                                          
   \ \                                                                         
    ) \                                                                        
    )  \                                                                       
    )   \                                                                      
   <=====>                                                                     
    )   /                                                                      
    )  /                                                                       
    ) /                                                                        
   / /    
   \/     

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

http://home1.gte.net/res0psau

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

next prev parent reply	other threads:[~2005-04-06 12:05 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-06  8:18 26sec problems Petr Titera
2005-04-06 12:05 ` Kelly Scroggins [this message]
2005-04-06 13:42   ` Stephen J. McCracken

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050406120540.GC12451@nlb0 \
    --to=kelly@cliffhanger.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox