[Cialug] IPSec VPN not passing traffic
Zachary Kotlarek
zach at kotlarek.com
Tue Sep 7 17:44:19 CDT 2010
On Sep 7, 2010, at 5:32 PM, Jonathan C. Bailey wrote:
> Ok.. I confirmed it's NETKEY in this case (on Ubuntu 10.04). ip xfrm state shows each side of the connection (client->server and server->client).
>
> I did some more reading on NETKEY, and it seems that it's supposed to automagically do the routing, but nothing I find seems very clear on this...
XFRM *is* the routing. There's no other indication in the normal IP stack tools.
I'm more familiar with OpenSwan than Racoon, but it seems to me that with the "passive on" setting you should only see the XFRM transforms come up after a client has negotiated a key and the system is ready to start exchanging encrypted traffic.
Is it possible you've got an illogical configuration due to the intra-network testing -- where you're telling the system to use an IPSec tunnel to reach the same network segment that contains the next-hop router or some other impossibility?
It might also be useful to see what the Sun Rays think about the tunnel. I don't know what kind of tools they have available for debugging, but there should at least be some basic logs/tools.
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20100907/20a82742/attachment.bin
More information about the Cialug
mailing list