[Vpn-help] vpn-release-1.1 communicate with racoon problem
Matthew Grooms
mgrooms at shrew.net
Mon Nov 27 10:20:47 CST 2006
Zhao Tongyi wrote:
> i have captured the esp packets from my linux box ,so I think iptables
> work is fine and not blocked the esp packets,now my question is I don't
> know if ipsec-tools unencapsulation incoming esp packets and forward
> others ethernet card.
>
> thanks
>
Zhao,
Your passing phase1 and phase2 or the client wouldn't be emitting
esp traffic destined to the linux gateway. Try performing a setkey -D
after you have sent a few packets from the client. If you see the byte
counters going up for inbound SA, then you know that the esp packets are
being received and processed properly by the linux kernel. The SPI for
the inbound SA can be obtained by sniffing the inbound esp traffic using
tcpdump.
You have all kinds of NETMAP, MASQUERADE and not a whole lot of
ACCEPT rules in your config. I am inclined to think the traffic is being
dropped. Depending on your config, iptables could be blocking the
packets on another chain. In this case, you would still see the packets
come in but they could be dropped before they are emitted on another
interface. This is why I requested that you temporarily disable iptables
and selinux ( if you have it running ) and give it a shot. If it works,
you know you just need to tweak your firewall rules a bit. If you still
don't see the packets being forwarded, then there may be another issue.
If the linux box is a production host, I can understand why you wouldn't
want to do that ;)
Thanks,
-Matthew
More information about the vpn-help
mailing list