07-20-2014
Hi,
As i can see now, the packets start to go through the right interface with the right address but no reply still. The tunnels after a long time it getting established. If i make service ipsec restart ... the first think what iv got from the ipsec auto --up tunnel name or ipsec auto --status is this:
Quote:
000 #7: "tunnelname":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 2s; nodpd; idle; import:admin initiate
000 #7: pending Phase 2 for "tunnelname" replacing #0
After some time the tunnels status is:
Quote:
000 #22: "tunnelname":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27637s; newest IPSEC; eroute owner; isakmp#7; idle; import:admin initiate
000 #22: "tunnelname" esp.b18cc17@<pub_ip_other_site> esp.c59dvg@<pub_ip_my_site> tun.0@<pub_ip_other_site> tun.0@<pub_ip_my_site> ref=0 refhim=4294901761
000 #7: "tunnelname":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 27870s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
Here is the list of the iptables:
Quote:
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MYNAT all -- 172.28.2.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain MYNAT (4 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
[Itecor_VPN:main.linux64 ipsec.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And this is the ping and tracepath results:
Quote:
ping 172.16.3.9
PING 172.16.3.9 (172.16.3.9) 56(84) bytes of data.
^C
--- 172.16.3.9 ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11338ms
tracepath -n 172.16.3.9
1?: [LOCALHOST] pmtu 1464
1: 172.28.2.1 0.943ms pmtu 1446
1: no reply
^C
9 More Discussions You Might Find Interesting
1. Cybersecurity
Hello! I have some trouble trying to configure a VPN with two gateways. One of them uses IPSec with a single key, 256bits length, specified in /etc/ipsec.secrets. As FreeSwan manual page says, if i put esp=3des-md5-96, will be used a "64bit IV key (internally generated), a 192bit 3des ekey and a... (3 Replies)
Discussion started by: eNTer
3 Replies
2. IP Networking
Hello,
I'm trying to setup a gateway VPN between two routers across an unsecured network between two local networks. The routers are both linux and I'm using the ipsec tools, racoon and setkey. So far hosts from either local net can successfully ping hosts on the other local net without issue.
... (0 Replies)
Discussion started by: salukibob
0 Replies
3. BSD
Hi, this is my first post...:p
Hello Admin :)
Can I have an ask for something with my configuration ?
I have finished some kind of the tutorial to build ipsec site to site, and the "step" has finished completely.
I have a simulation with a local design topology with two PC's (FreeBSD ... (0 Replies)
Discussion started by: aulia
0 Replies
4. UNIX for Advanced & Expert Users
How can i implement Ipsec between two machines in linux_ ubuntu?
any link?? suggestion?? (0 Replies)
Discussion started by: elinaz
0 Replies
5. Cybersecurity
hello,
after configuration ipsec in ip4 I can not ping between client and server whereas I had success ping before configuration!
I also generate different key for AH and ESP as i have shown below.
what is my problem and what should i do to have ping and test the configuration?
code:
... (0 Replies)
Discussion started by: elinaz
0 Replies
6. AIX
Hi Guys,
Please could you tell me if it is possible to have a single rule/filter to allow a certain port range instead of a separate rule for each port?
I'm sure it must be possible but I am unable to find the syntax.
Thanks
Chris (4 Replies)
Discussion started by: chrisstevens
4 Replies
7. IP Networking
Hi @all,
I try to connect 2 LANs with IPSec/Openswan
LAN 1: 192.168.0.0/24
LAN 2: 192.168.1.0/24
This is my Config:
conn HomeVPN # # Left security gateway, subnet behind it, nexthop toward right. left=192.168.1.29 ... (1 Reply)
Discussion started by: bahnhasser83
1 Replies
8. IP Networking
Hi all,
I need this as soon as possible to solve it or at least to find out what is the problem.
I have configured IPSec tunnels with Openswan and Cisco ASA, i have established a connection and the ping was fine, but after some time there is request time out from both sites. I don't have ASA... (0 Replies)
Discussion started by: ivancd
0 Replies
9. IP Networking
We are using cyberoam device, VPN IPSEC tunnel is going of frequently even the traffic is throug.
Please suggest what may be the cause for the above mentioned issue.
Also suggest a best tool to monitor the same VPN IPSEC tunnel connectivity. (4 Replies)
Discussion started by: marunmeera
4 Replies
LEARN ABOUT SUSE
racoonctl
RACOONCTL(8) BSD System Manager's Manual RACOONCTL(8)
NAME
racoonctl -- racoon administrative control tool
SYNOPSIS
racoonctl reload-config
racoonctl show-schedule
racoonctl [-l [-l]] show-sa [isakmp|esp|ah|ipsec]
racoonctl flush-sa [isakmp|esp|ah|ipsec]
racoonctl delete-sa saopts
racoonctl establish-sa [-u identity] saopts
racoonctl vpn-connect [-u -identity] vpn_gateway
racoonctl vpn-disconnect vpn_gateway
racoonctl show-event [-l]
racoonctl logout-user login
DESCRIPTION
racoonctl is used to control racoon(8) operation, if ipsec-tools was configured with adminport support. Communication between racoonctl and
racoon(8) is done through a UNIX socket. By changing the default mode and ownership of the socket, you can allow non-root users to alter
racoon(8) behavior, so do that with caution.
The following commands are available:
reload-config
This should cause racoon(8) to reload its configuration file.
show-schedule
Unknown command.
show-sa [isakmp|esp|ah|ipsec]
Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs. Use -l to
increase verbosity.
flush-sa [isakmp|esp|ah|ipsec]
is used to flush all SAs if no SA class is provided, or a class of SAs, either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec
SAs.
establish-sa [-u username] saopts
Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The optional -u username can be used when establishing an ISAKMP
SA while hybrid auth is in use. racoonctl will prompt you for the password associated with username and these credentials will be
used in the Xauth exchange.
saopts has the following format:
isakmp {inet|inet6} src dst
{esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
{icmp|tcp|udp|any}
vpn-connect [-u username] vpn_gateway
This is a particular case of the previous command. It will establish an ISAKMP SA with vpn_gateway.
delete-sa saopts
Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
vpn-disconnect vpn_gateway
This is a particular case of the previous command. It will kill all SAs associated with vpn_gateway.
show-event [-l]
Dump all events reported by racoon(8), then quit. The -l flag causes racoonctl to not stop once all the events have been read, but
rather to loop awaiting and reporting new events.
logout-user login
Delete all SA established on behalf of the Xauth user login.
Command shortcuts are available:
rc reload-config
ss show-sa
sc show-schedule
fs flush-sa
ds delete-sa
es establish-sa
vc vpn-connect
vd vpn-disconnect
se show-event
lu logout-user
RETURN VALUES
The command should exit with 0 on success, and non-zero on errors.
FILES
/var/racoon/racoon.sock or
/var/run/racoon.sock racoon(8) control socket.
SEE ALSO
ipsec(4), racoon(8)
HISTORY
Once was kmpstat in the KAME project. It turned into racoonctl but remained undocumented for a while. Emmanuel Dreyfus <manu@NetBSD.org>
wrote this man page.
BSD
November 16, 2004 BSD