From owner-freebsd-net@FreeBSD.ORG Wed Jun 23 08:45:23 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10062106566B for ; Wed, 23 Jun 2010 08:45:23 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id B8F288FC24 for ; Wed, 23 Jun 2010 08:45:22 +0000 (UTC) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id 914112798BC; Wed, 23 Jun 2010 10:45:19 +0200 (CEST) Received: by astro.zen.inc (Postfix, from userid 1000) id 78D4F17063; Wed, 23 Jun 2010 10:45:19 +0200 (CEST) Date: Wed, 23 Jun 2010 10:45:19 +0200 From: VANHULLEBUS Yvan To: ralf@dzie-ciuch.pl Message-ID: <20100623084519.GA74491@zeninc.net> References: <20100622190819.270aaa74@gda-arsenic> <4f378cfb416582c3081377ba714e508a@ewipo.pl> <20100622201130.5824d585@gda-arsenic> <20100622182242.GU2620@verio.net> <20100622204107.6c604c17@gda-arsenic> <20100623080555.GB74303@zeninc.net> <5e8d1141ecf3d922c00114e41585a67f@ewipo.pl> <20100623083228.GA74453@zeninc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 08:45:23 -0000 On Wed, Jun 23, 2010 at 10:37:18AM +0200, ralf@dzie-ciuch.pl wrote: [...] > > Do you also have later some logs like: > > : INFO : IPsec-SA established: ESP/Tunnel > > > > Yes I got: > > 2010-06-23 10:18:06: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel > 95.x.x.x[0]->78.x.x.x[0] spi=224712000(0xd64d540) > 2010-06-23 10:18:06: INFO: IPsec-SA established: ESP/Tunnel > 95.x.x.x[0]->78.x.x.x[0] spi=224712000(0xd64d540) > 2010-06-23 10:18:06: INFO: IPsec-SA established: ESP/Tunnel > 78.x.x.x[0]->95.x.x.x[0] spi=3926551409(0xea0a6b71) > 2010-06-23 10:25:30: DEBUG: (proto_id=ESP spisize=4 spi=00000000 > spi_p=00000000 encmode=Tunnel reqid=0:0) > 2010-06-23 10:25:30: DEBUG: pfkey GETSPI sent: ESP/Tunnel > 95.x.x.x[0]->78.x.x.x[0] > 2010-06-23 10:25:30: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel > 95.x.x.x[0]->78.x.x.x[0] spi=126966409(0x7915a89) > > Is it good? Looks like, but if you still can't ping, you still have an issue somewhere :-) First, check that you now have ESP packets going out from your IPsec gate when you try to ping. Then, usual issues at that step are: - something on the way blocks ESP packets. Solution may be to force NAT-T (add "nat_traversal force;" line in remote section). - IPsec peers has some filtering rules/ACLs which blocks your traffic after IPsec. - Peer does not have a default route, or somethinng like that which prevents it to reply to you. Anyways, the best tool now to see what happens is tcpdump.... on peer's side !!!! Yvan.