[Cialug] IPSec VPN not passing traffic
Jonathan C. Bailey
jbailey at co.marshall.ia.us
Tue Sep 7 21:35:54 CDT 2010
For example:
The example client I previously mentioned gets the IP of 192.168.22.2 on the VPN.
* tcpdump -i eth0 "host 192.168.22.2" on srvpn shows client -> world of the ping (decrypted) (but not return traffic)
* tcpdump "host 192.168.22.2" on another host shows no traffic (I'd expect to be seeing the ping traffic traveling via the vpn host at least)
Also, our core router has a route to 192.168.22.0/24 via 10.81.10.60, but if I try to send traffic to 192.168.22.x, I see srvpn/10.81.10.60 sending ARP requests like it doesn't know about that address range.
Based on how you're describing the xfrm rules, I'm guessing I should be fine if I can see the encrypt/decrypt working?
-Jon
----- Original Message -----
From: "Zachary Kotlarek" <zach at kotlarek.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Tuesday, September 7, 2010 9:08:28 PM
Subject: Re: [Cialug] IPSec VPN not passing traffic
On Sep 7, 2010, at 8:22 PM, Jonathan C. Bailey wrote:
> Ok, I guess I'm not getting how XFRM passes packets out of the IPSec world to the real world. The documentation for it (at least what I can find) isn't too helpful..
It doesn't. It's an in-line transform. Outbound packets that match the XFRM rules get transformed in-line according to those rules before they're transmitted. In this case the transformation is IPSec. It's sort of like mangling for NAT with iptables.
> Anyway, here is my setup:
>
> VPN server: 10.81.10.60
> Win7 client: 10.64.4.110 (so at least different subnets from the server)
> VPN routes: 10.81.28.2 10.81.28.3 10.81.28.4 10.81.10.17
>
> I can also see traffic from 10.64.4.110 to anywhere when running tcpdump on eth0 of srvpn (10.81.10.60), but that traffic never seems to *leave* eth0 of srvpn...
I'm not sure what you're mean by "never leaves". What are you measuring to determine that? Are you capturing locally and in-line and seeing the traffic locally but not at the remote capture point? Are you not seeing it even in local captures?
Zach
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list