Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Jun 2010 10:45:19 +0200
From:      VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To:        ralf@dzie-ciuch.pl
Cc:        freebsd-net@freebsd.org
Subject:   Re:    vpn trouble
Message-ID:  <20100623084519.GA74491@zeninc.net>
In-Reply-To: <a5c9ad94743d6f4d709ce181fb5b1894@ewipo.pl>
References:  <20100622190819.270aaa74@gda-arsenic> <4f378cfb416582c3081377ba714e508a@ewipo.pl> <20100622201130.5824d585@gda-arsenic> <20100622182242.GU2620@verio.net> <20100622204107.6c604c17@gda-arsenic> <e0ec3f73645a733f318ba5664abf6472@ewipo.pl> <20100623080555.GB74303@zeninc.net> <5e8d1141ecf3d922c00114e41585a67f@ewipo.pl> <20100623083228.GA74453@zeninc.net> <a5c9ad94743d6f4d709ce181fb5b1894@ewipo.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Jun 23, 2010 at 10:37:18AM +0200, ralf@dzie-ciuch.pl wrote:
[...]
> > Do you also have later some logs like:
> > <date>: INFO : IPsec-SA established: ESP/Tunnel <IPs> <SPI>
> > 
> 
> Yes I got:
> 
> 2010-06-23 10:18:06: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel
> 95.x.x.x[0]->78.x.x.x[0] spi=224712000(0xd64d540)
> 2010-06-23 10:18:06: INFO: IPsec-SA established: ESP/Tunnel
> 95.x.x.x[0]->78.x.x.x[0] spi=224712000(0xd64d540)
> 2010-06-23 10:18:06: INFO: IPsec-SA established: ESP/Tunnel
> 78.x.x.x[0]->95.x.x.x[0] spi=3926551409(0xea0a6b71)
> 2010-06-23 10:25:30: DEBUG:  (proto_id=ESP spisize=4 spi=00000000
> spi_p=00000000 encmode=Tunnel reqid=0:0)
> 2010-06-23 10:25:30: DEBUG: pfkey GETSPI sent: ESP/Tunnel
> 95.x.x.x[0]->78.x.x.x[0] 
> 2010-06-23 10:25:30: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel
> 95.x.x.x[0]->78.x.x.x[0] spi=126966409(0x7915a89)
> 
> Is it good?


Looks like, but if you still can't ping, you still have an issue
somewhere :-)

First, check that you now have ESP packets going out from your IPsec
gate when you try to ping.


Then, usual issues at that step are:

- something on the way blocks ESP packets. Solution may be to force
  NAT-T (add "nat_traversal force;" line in remote section).

- IPsec peers has some filtering rules/ACLs which blocks your traffic
  after IPsec.

- Peer does not have a default route, or somethinng like that which
  prevents it to reply to you.

Anyways, the best tool now to see what happens is tcpdump.... on
peer's side !!!!


Yvan.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100623084519.GA74491>