[Cialug] IPSec VPN not passing traffic

Zachary Kotlarek zach at kotlarek.com
Tue Sep 7 22:31:59 CDT 2010


On Sep 7, 2010, at 9:35 PM, Jonathan C. Bailey wrote:

> For example:
> 
> The example client I previously mentioned gets the IP of 192.168.22.2 on the VPN.


This is part of my confusion. You list server and client addresses in the 10. range and then separate VPN addresses in 192.

What do you mean "gets the IP... on the VPN." Without PPP (usually as part of L2TP or PPTP) there is no VPN-specific IP address -- there's just your regular IP address(es) where some of the traffic will be encrypted and some will not. Are your hosts with the 10. addresses already setup with secondary 192. addresses before you start IPSec? Or am I just confusing two different parts of your configuration?


> * tcpdump -i eth0 "host 192.168.22.2" on srvpn shows client -> world of the ping (decrypted) (but not return traffic)


I would expect pcap to see only the encrypted traffic. I'm not 100% positive, but I'm pretty sure it pulls out of the actual interface buffers (or thereabouts), so it should be after the encryption is applied.


> Based on how you're describing the xfrm rules, I'm guessing I should be fine if I can see the encrypt/decrypt working?


Yes. It sounds to me like you've got the key exchange daemons setup correctly and configuring SA for encrypted traffic exchange. It should just be a question of figuring out why it isn't sending traffic over those tunnels.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20100907/e512227e/attachment.bin 


More information about the Cialug mailing list