* 26sec problems
@ 2005-04-06 8:18 Petr Titera
2005-04-06 12:05 ` Kelly Scroggins
0 siblings, 1 reply; 3+ messages in thread
From: Petr Titera @ 2005-04-06 8:18 UTC (permalink / raw)
To: netfilter
Hello,
I have a problem with 26sec tunnel setup. My network configuration
looks as follows:
|
|eth0
+-------+ +-------+
eth1| |eth2 eth0| |eth1
----| FWA |------------IPSEC VPN-----------------| FWB |----
| | | |
+-------+ +-------+
Both firewalls have kernel version 2.6.10.
I have ADSL modem connected on eth0 and eth2 at FWA site. I've setted up
VPN tunel between both firewals and there fun begins.
I can ping the computers in internal networks from both direction.
Users from unternal network of FWB can connect to computers in
internal network of FWA without any problem, but
users from FWA network cannot conect at all.
When I trace traffic from FWA network to FWB network I see strange
things happen. SYN packets are transfered, but when real communication
starts I see this:
on FWA:eth1 I see packets to other computer
on FWA:eth2 I see packets going to tunnel and packets going from
tunnel without a change
on FWB:eth0 I see packets from tunnel without a change
on FWB:eth1 I see communication in both direction
BUT on FWA:eth1 I see packets from other direction as going from another
port than I have connected:
This is communication as I see it on FWA:eth1 port. Note change from
http port to tcpmux port.
09:23:46.372945 IP 192.168.17.200.60424 > 192.168.1.200.http: S
3072626488:3072626488(0) win 5840 <mss 1460,sackOK,timestamp 3092376420
0,nop,wscale 0>
09:23:46.485595 IP 192.168.1.200.http > 192.168.17.200.60424: S
2915082851:2915082851(0) ack 3072626489 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
09:23:46.485715 IP 192.168.17.200.60424 > 192.168.1.200.http: . ack 1
win 5840 <nop,nop,timestamp 3092376478 0>
09:23:51.963654 IP 192.168.17.200.60424 > 192.168.1.200.http: F 1:1(0)
ack 1 win 5840 <nop,nop,timestamp 3092379283 0>
09:23:52.065913 IP 192.168.1.200.tcpmux > 192.168.17.200.60424: . ack
3072626490 win 65535 <nop,nop,timestamp 10752655 3092379283>
09:23:52.066028 IP 192.168.17.200.60424 > 192.168.1.200.tcpmux: R
3072626490:3072626490(0) win 0
09:23:52.171022 IP 192.168.1.200.tcpmux > 192.168.17.200.60424: F 0:0(0)
ack 1 win 65535 <nop,nop,timestamp 10752656 3092379283>
Any idea what is wrong?
Petr Titera
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 26sec problems
2005-04-06 8:18 26sec problems Petr Titera
@ 2005-04-06 12:05 ` Kelly Scroggins
2005-04-06 13:42 ` Stephen J. McCracken
0 siblings, 1 reply; 3+ messages in thread
From: Kelly Scroggins @ 2005-04-06 12:05 UTC (permalink / raw)
To: netfilter
The first thing that comes to mind is the rules
defining the traffic that will be encrypted, has
to 'match', or rather, be mirrored.
In other words ...
FWA will permit traffic from host-A to host-Z
FWB will permit traffic from host-Z to host-A
You may already have them configured this way, but
it's the first thing I'd check.
kelly
Quoting Petr Titera <P.Titera@century.cz>:
Hello,
I have a problem with 26sec tunnel setup. My network configuration
looks as follows:
|
|eth0
+-------+ +-------+
eth1| |eth2 eth0| |eth1
----| FWA |------------IPSEC VPN-----------------| FWB |----
| | | |
+-------+ +-------+
Both firewalls have kernel version 2.6.10.
I have ADSL modem connected on eth0 and eth2 at FWA site. I've setted up
VPN tunel between both firewals and there fun begins.
I can ping the computers in internal networks from both direction.
Users from unternal network of FWB can connect to computers in
internal network of FWA without any problem, but
users from FWA network cannot conect at all.
When I trace traffic from FWA network to FWB network I see strange
things happen. SYN packets are transfered, but when real communication
starts I see this:
on FWA:eth1 I see packets to other computer
on FWA:eth2 I see packets going to tunnel and packets going from
tunnel without a change
on FWB:eth0 I see packets from tunnel without a change
on FWB:eth1 I see communication in both direction
BUT on FWA:eth1 I see packets from other direction as going from another
port than I have connected:
This is communication as I see it on FWA:eth1 port. Note change from
http port to tcpmux port.
09:23:46.372945 IP 192.168.17.200.60424 > 192.168.1.200.http: S
3072626488:3072626488(0) win 5840 <mss 1460,sackOK,timestamp 3092376420
0,nop,wscale 0>
09:23:46.485595 IP 192.168.1.200.http > 192.168.17.200.60424: S
2915082851:2915082851(0) ack 3072626489 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
09:23:46.485715 IP 192.168.17.200.60424 > 192.168.1.200.http: . ack 1
win 5840 <nop,nop,timestamp 3092376478 0>
09:23:51.963654 IP 192.168.17.200.60424 > 192.168.1.200.http: F 1:1(0)
ack 1 win 5840 <nop,nop,timestamp 3092379283 0>
09:23:52.065913 IP 192.168.1.200.tcpmux > 192.168.17.200.60424: . ack
3072626490 win 65535 <nop,nop,timestamp 10752655 3092379283>
09:23:52.066028 IP 192.168.17.200.60424 > 192.168.1.200.tcpmux: R
3072626490:3072626490(0) win 0
09:23:52.171022 IP 192.168.1.200.tcpmux > 192.168.17.200.60424: F 0:0(0)
ack 1 win 65535 <nop,nop,timestamp 10752656 3092379283>
Any idea what is wrong?
Petr Titera
--
/\
\ \
) \
) \
) \
<=====>
) /
) /
) /
/ /
\/
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
http://home1.gte.net/res0psau
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 26sec problems
2005-04-06 12:05 ` Kelly Scroggins
@ 2005-04-06 13:42 ` Stephen J. McCracken
0 siblings, 0 replies; 3+ messages in thread
From: Stephen J. McCracken @ 2005-04-06 13:42 UTC (permalink / raw)
Cc: netfilter
> Quoting Petr Titera <P.Titera@century.cz>:
[snip]
> BUT on FWA:eth1 I see packets from other direction as going from another
> port than I have connected:
>
> This is communication as I see it on FWA:eth1 port. Note change from
> http port to tcpmux port.
[snip]
> 09:23:52.171022 IP 192.168.1.200.tcpmux > 192.168.17.200.60424: F 0:0(0)
> ack 1 win 65535 <nop,nop,timestamp 10752656 3092379283>
>
> Any idea what is wrong?
I just worked through this same problem and posted the solution on the
OpenSWAN mailing list. It is a nat problem. Here is my post from the
OpenSWAN list:
> This is just to get this in the archives as it is solved. (It's a NAT
> problem.)
>
> I was having trouble with ports being rewritten to port 1. Example:
>
> BoxA --- GwA ====== GwB --- BoxB
>
> GwA running OpenSWAN (openswan-2.1.5-2 Fedora RPM) and GwB a Multitech
> RoutFinder 550 (MT550VPN).
>
> I would try to ssh from BoxA to BoxB and get this:
>
> 15:22:35.859664 IP BoxA.38537 > BoxB.22: S 51958428:51958428(0) win 5840
> <mss 1460,sackOK,timestamp 257583923 0,nop,wscale 2>
> 15:22:35.863491 IP BoxB.22 > BoxA.38537: S 3558425983:3558425983(0) ack
> 51958429 win 5792 <mss 1336,sackOK,timestamp 12106235
> 257583923,nop,wscale 2>
> 15:22:35.863555 IP BoxA.38537 > BoxB.22: . ack 1 win 1460
> <nop,nop,timestamp 257583927 12106235>
> 15:22:35.890997 IP BoxB.1 > BoxA.38537: P 3558425984:3558426007(23) ack
> 51958429 win 1448 <nop,nop,timestamp 12106262 257583927>
> 15:22:36.093361 IP BoxB.1 > BoxA.38537: P 0:23(23) ack 1 win 1448
> <nop,nop,timestamp 12106465 257583927>
> 15:22:36.499231 IP BoxB.1 > BoxA.38537: P 0:23(23) ack 1 win 1448
> <nop,nop,timestamp 12106871 257583927>
>
> I noticed others were having similar problems:
>
> http://lists.virus.org/users-openswan-0502/msg00239.html
>
> And found the answer through this post:
>
> http://lists.virus.org/users-openswan-0407/msg00002.html
>
> That references this post:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215980
>
> I had to add in the following to solve the port 1 problem:
> iptables -A POSTROUTING 1 -p esp -j ACCEPT -t nat
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-04-06 13:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-06 8:18 26sec problems Petr Titera
2005-04-06 12:05 ` Kelly Scroggins
2005-04-06 13:42 ` Stephen J. McCracken
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox