IPsec tunnel up but no traffic

Hi all,

I'm trying to get a IPsec VPN tunnel working between my Fedora
firewall running ipsec-tools and racoon and a remote Draytek router.
From the verbose output of racoon I can tell then tunnel between both
nodes is being build the moment I ping an IP adress on the remote LAN
from my firewall. However, the moment the tunnel is up and running,
the ping times out with "Destination Host Unreachable" At first I
thought I had my routing table setup wrong, but then I was told the
security policies took care of routing and not the routing table.

Has anyone got a clue what's going on?

TIA,
Wouter

(E-Mail Removed) wrote:
> I'm trying to get a IPsec VPN tunnel working between my Fedora
> firewall running ipsec-tools and racoon and a remote Draytek router.
> From the verbose output of racoon I can tell then tunnel between both
> nodes is being build the moment I ping an IP adress on the remote LAN
> from my firewall. However, the moment the tunnel is up and running,
> the ping times out with "Destination Host Unreachable" At first I
> thought I had my routing table setup wrong, but then I was told the
> security policies took care of routing and not the routing table.
>
> Has anyone got a clue what's going on?

How do you know the tunnel is really up if you can't send anything
through it?

The IPSec software should alter the routing, and you can still look at
it with "netstat -nr" or "ip route."

I can't comment on your specific setup, but it's sometimes a hassle that
two different IPSec implementations don't completely work together.

On 12 aug, 19:40, Allen Kistler <ackist...@oohay.moc> wrote:
> wamster...@zesgoes.nl wrote:
> > I'm trying to get a IPsec VPN tunnel working between my Fedora
> > firewall running ipsec-tools and racoon and a remote Draytek router.
> > From the verbose output of racoon I can tell then tunnel between both
> > nodes is being build the moment I ping an IP adress on the remote LAN
> > from my firewall. However, the moment the tunnel is up and running,
> > the ping times out with "Destination Host Unreachable" At first I
> > thought I had my routing table setup wrong, but then I was told the
> > security policies took care of routing and not the routing table.
>
> > Has anyone got a clue what's going on?
>
> How do you know the tunnel is really up if you can't send anything
> through it?
>
> The IPSec software should alter the routing, and you can still look at
> it with "netstat -nr" or "ip route."
>
> I can't comment on your specific setup, but it's sometimes a hassle that
> two different IPSec implementations don't completely work together.

I can tell the tunnel is up form both the webinterface of the Draytek
(it shows the tunnel is up) and from the verbose output of racoon,
which shows "IP-sec-SA established: ESP/Tunnel 212.115.197.xxx[0] ->
86.82.197.xxx[0]" and "IP-sec-SA established: ESP/Tunnel
86.82.197.xxx[0] -> 212.115.197.xxx[0]". But neither "netstat -nr" or
"ip route" shows any change at all when the tunnel is up; there is no
route to the remote network. As I haven't been able to get any tunnel
working I don't know if this is normal or the route to the remote
network should be added automagically. If I add the route manually
with "route add -net 192.168.1.0/24 gw 192.168.0.254" there is also no
answer from the other side. BTW (excuse my potential noob question)
what is the difference between "netstat -nr" or "ip route" and the
"route" command? Don't they all show the routing table?

Am Wed, 13 Aug 2008 00:20:05 -0700 schrieb wamsterdam:

> I can tell the tunnel is up form both the webinterface of the Draytek
> (it shows the tunnel is up) and from the verbose output of racoon,
> which shows "IP-sec-SA established: ESP/Tunnel 212.115.197.xxx[0] ->
> 86.82.197.xxx[0]" and "IP-sec-SA established: ESP/Tunnel
> 86.82.197.xxx[0] -> 212.115.197.xxx[0]". But neither "netstat -nr" or
> "ip route" shows any change at all when the tunnel is up; there is no
> route to the remote network. As I haven't been able to get any tunnel
> working I don't know if this is normal or the route to the remote
> network should be added automagically. If I add the route manually
> with "route add -net 192.168.1.0/24 gw 192.168.0.254" there is also no
> answer from the other side. BTW (excuse my potential noob question)
> what is the difference between "netstat -nr" or "ip route" and the
> "route" command? Don't they all show the routing table?

can you see the esp packets between the devices? if so your route is ok.

On 13 aug, 09:44, Burkhard Ott <n...@derith.de> wrote:
>
> can you see the esp packets between the devices? if so your route is ok.

hmm, excuse me for asking, but how can I see the ESP packets?

Am Wed, 13 Aug 2008 01:16:20 -0700 schrieb wamsterdam:

> On 13 aug, 09:44, Burkhard Ott <n...@derith.de> wrote:
>>
>> can you see the esp packets between the devices? if so your route is ok.
>
> hmm, excuse me for asking, but how can I see the ESP packets?

e.g. tcpdump

On 13 aug, 10:53, Burkhard Ott <n...@derith.de> wrote:
> Am Wed, 13 Aug 2008 01:16:20 -0700 schrieb wamsterdam:
>
> > On 13 aug, 09:44, Burkhard Ott <n...@derith.de> wrote:
>
> >> can you see the esp packets between the devices? if so your route is ok.
>
> > hmm, excuse me for asking, but how can I see the ESP packets?
>
> e.g. tcpdump

I'm not sure how, but it seems that restarting shorewall firewall a
few times solved my routing problems. Tunnel is now up and traffic is
coming through. Super.

Wouter