[ProgSoc] Getting ipsec-tools to work between Ubuntu Lucid hosts
John Elliot
jj5 at jj5.net
Fri Jul 29 07:42:57 EST 2011
On 29/07/2011 7:22 AM, Nigel Sheridan-Smith wrote:
> Can you ping?
Yes.
root at charity:~# ping hope.progclub.org.
PING hope.progclub.org (67.207.130.204) 56(84) bytes of data.
64 bytes from hope.progclub.org (67.207.130.204): icmp_seq=1 ttl=63
time=0.632 ms
64 bytes from hope.progclub.org (67.207.130.204): icmp_seq=2 ttl=63
time=0.667 ms
64 bytes from hope.progclub.org (67.207.130.204): icmp_seq=3 ttl=63
time=0.691 ms
Watching tcpdump on hope at the same time:
21:35:54.167762 IP charity.progclub.org > hope:
AH(spi=0x00000200,seq=0x6a): ESP(spi=0x00000201,seq=0x6a), length 88
21:35:54.167900 IP hope > charity.progclub.org:
AH(spi=0x00000300,seq=0x45): ESP(spi=0x00000301,seq=0x45), length 88
21:35:55.169247 IP charity.progclub.org > hope:
AH(spi=0x00000200,seq=0x6b): ESP(spi=0x00000201,seq=0x6b), length 88
21:35:55.169348 IP hope > charity.progclub.org:
AH(spi=0x00000300,seq=0x46): ESP(spi=0x00000301,seq=0x46), length 88
21:35:56.170669 IP charity.progclub.org > hope:
AH(spi=0x00000200,seq=0x6c): ESP(spi=0x00000201,seq=0x6c), length 88
21:35:56.170775 IP hope > charity.progclub.org:
AH(spi=0x00000300,seq=0x47): ESP(spi=0x00000301,seq=0x47), length 88
ICMP echo seems to be being routed through IPSec, successfully.
> What are your configured routes?
root at charity:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
67.207.128.0 * 255.255.255.0 U 0 0 0 eth0
default 67.207.128.1 0.0.0.0 UG 100 0 0 eth0
root at hope:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
67.207.130.0 * 255.255.255.0 U 0 0 0 eth0
default 67.207.130.1 0.0.0.0 UG 100 0 0 eth0
> These [1,2] may be of use... in particular, netstat should indicate packet
> counts on each interface
>
> [1] http://www.netbsd.org/docs/network/ipsec/#pitfalls
> [2] http://ipsec-tools.sourceforge.net/checklist.html
Will read them in a minute.
> I would also temporarily disable IP Tables to see if an empty policy makes
> any difference, at least to rule that out.
root at charity:~# iptables -F
root at charity:~# iptables -L -v
Chain INPUT (policy ACCEPT 85 packets, 7996 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 60 packets, 6304 bytes)
pkts bytes target prot opt in out source
destination
Dropped IPTables configuration on Charity (IPTables is not configured on
Hope), but I'm experiencing the same problem whereby I can't ssh to/from
either machine. Tcpdump continues to display the IPSec packets during
ssh connection attempts, but ssh "does nothing".
More information about the Progsoc
mailing list