IPsec tunnel up but no traffic - Networking

This is a discussion on IPsec tunnel up but no traffic - Networking ; Hi all, I'm trying to get a IPsec VPN tunnel working between my Fedora firewall running ipsec-tools and racoon and a remote Draytek router. From the verbose output of racoon I can tell then tunnel between both nodes is being ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: IPsec tunnel up but no traffic

  1. IPsec tunnel up but no traffic

    Hi all,

    I'm trying to get a IPsec VPN tunnel working between my Fedora
    firewall running ipsec-tools and racoon and a remote Draytek router.
    From the verbose output of racoon I can tell then tunnel between both
    nodes is being build the moment I ping an IP adress on the remote LAN
    from my firewall. However, the moment the tunnel is up and running,
    the ping times out with "Destination Host Unreachable" At first I
    thought I had my routing table setup wrong, but then I was told the
    security policies took care of routing and not the routing table.

    Has anyone got a clue what's going on?

    TIA,
    Wouter

  2. Re: IPsec tunnel up but no traffic

    wamsterdam@zesgoes.nl wrote:
    > I'm trying to get a IPsec VPN tunnel working between my Fedora
    > firewall running ipsec-tools and racoon and a remote Draytek router.
    > From the verbose output of racoon I can tell then tunnel between both
    > nodes is being build the moment I ping an IP adress on the remote LAN
    > from my firewall. However, the moment the tunnel is up and running,
    > the ping times out with "Destination Host Unreachable" At first I
    > thought I had my routing table setup wrong, but then I was told the
    > security policies took care of routing and not the routing table.
    >
    > Has anyone got a clue what's going on?


    How do you know the tunnel is really up if you can't send anything
    through it?

    The IPSec software should alter the routing, and you can still look at
    it with "netstat -nr" or "ip route."

    I can't comment on your specific setup, but it's sometimes a hassle that
    two different IPSec implementations don't completely work together.

  3. Re: IPsec tunnel up but no traffic

    On 12 aug, 19:40, Allen Kistler wrote:
    > wamster...@zesgoes.nl wrote:
    > > I'm trying to get a IPsec VPN tunnel working between my Fedora
    > > firewall running ipsec-tools and racoon and a remote Draytek router.
    > > From the verbose output of racoon I can tell then tunnel between both
    > > nodes is being build the moment I ping an IP adress on the remote LAN
    > > from my firewall. However, the moment the tunnel is up and running,
    > > the ping times out with "Destination Host Unreachable" At first I
    > > thought I had my routing table setup wrong, but then I was told the
    > > security policies took care of routing and not the routing table.

    >
    > > Has anyone got a clue what's going on?

    >
    > How do you know the tunnel is really up if you can't send anything
    > through it?
    >
    > The IPSec software should alter the routing, and you can still look at
    > it with "netstat -nr" or "ip route."
    >
    > I can't comment on your specific setup, but it's sometimes a hassle that
    > two different IPSec implementations don't completely work together.


    I can tell the tunnel is up form both the webinterface of the Draytek
    (it shows the tunnel is up) and from the verbose output of racoon,
    which shows "IP-sec-SA established: ESP/Tunnel 212.115.197.xxx[0] ->
    86.82.197.xxx[0]" and "IP-sec-SA established: ESP/Tunnel
    86.82.197.xxx[0] -> 212.115.197.xxx[0]". But neither "netstat -nr" or
    "ip route" shows any change at all when the tunnel is up; there is no
    route to the remote network. As I haven't been able to get any tunnel
    working I don't know if this is normal or the route to the remote
    network should be added automagically. If I add the route manually
    with "route add -net 192.168.1.0/24 gw 192.168.0.254" there is also no
    answer from the other side. BTW (excuse my potential noob question)
    what is the difference between "netstat -nr" or "ip route" and the
    "route" command? Don't they all show the routing table?

  4. Re: IPsec tunnel up but no traffic

    Am Wed, 13 Aug 2008 00:20:05 -0700 schrieb wamsterdam:

    > I can tell the tunnel is up form both the webinterface of the Draytek
    > (it shows the tunnel is up) and from the verbose output of racoon,
    > which shows "IP-sec-SA established: ESP/Tunnel 212.115.197.xxx[0] ->
    > 86.82.197.xxx[0]" and "IP-sec-SA established: ESP/Tunnel
    > 86.82.197.xxx[0] -> 212.115.197.xxx[0]". But neither "netstat -nr" or
    > "ip route" shows any change at all when the tunnel is up; there is no
    > route to the remote network. As I haven't been able to get any tunnel
    > working I don't know if this is normal or the route to the remote
    > network should be added automagically. If I add the route manually
    > with "route add -net 192.168.1.0/24 gw 192.168.0.254" there is also no
    > answer from the other side. BTW (excuse my potential noob question)
    > what is the difference between "netstat -nr" or "ip route" and the
    > "route" command? Don't they all show the routing table?


    can you see the esp packets between the devices? if so your route is ok.

  5. Re: IPsec tunnel up but no traffic

    On 13 aug, 09:44, Burkhard Ott wrote:
    >
    > can you see the esp packets between the devices? if so your route is ok.


    hmm, excuse me for asking, but how can I see the ESP packets?

  6. Re: IPsec tunnel up but no traffic

    Am Wed, 13 Aug 2008 01:16:20 -0700 schrieb wamsterdam:

    > On 13 aug, 09:44, Burkhard Ott wrote:
    >>
    >> can you see the esp packets between the devices? if so your route is ok.

    >
    > hmm, excuse me for asking, but how can I see the ESP packets?


    e.g. tcpdump

  7. Re: IPsec tunnel up but no traffic

    On 13 aug, 10:53, Burkhard Ott wrote:
    > Am Wed, 13 Aug 2008 01:16:20 -0700 schrieb wamsterdam:
    >
    > > On 13 aug, 09:44, Burkhard Ott wrote:

    >
    > >> can you see the esp packets between the devices? if so your route is ok.

    >
    > > hmm, excuse me for asking, but how can I see the ESP packets?

    >
    > e.g. tcpdump


    I'm not sure how, but it seems that restarting shorewall firewall a
    few times solved my routing problems. Tunnel is now up and traffic is
    coming through. Super.

    Wouter

+ Reply to Thread