Re: ipsec tunnel mode help...

[Teh Kok How <khteh@willowglen.com.my>]

Hi;
	I am able to see the esp/spi packets in tcpdump only when I ping from any 
machine in both 192.168.82.0 and 192.168.100.0 networks but not ping from the 
router machine....

Regards,
TEH

On Saturday 01 November 2003 15:58, Teh Kok How wrote:
> Hi;
> 	I have a vpn setup of
>
> # 192.168.82.0/24 - west [.1] - 10.0.0.0/24 - [.2] east - 192.168.100.0/24
>
> 	I run `isakmpd -d &` and then I ping from 192.168.92.0/10.0.0.1 box to the
> 192.168.100.0/10.0.0.2 box. In east box, I run `netstat -ni ifvme0 host
> 10.0.0.1` and what I can see is only the normal icmp echo reply messages
> being exchanged between the 2 boxes.
> 	west box:
> WG8168# netstat -rn -f encap
> Routing tables
>
> Encap:
> Source             Port  Destination        Port  Proto
> SA(Address/Proto/Type/Direction)
> 192.168.100/24     0     192.168.82/24      0     0     10.0.0.2/50/use/in
> 192.168.82/24      0     192.168.100/24     0     0
> 10.0.0.2/50/require/out
> WG8168#
>
> 	east box:
> WG8168# netstat -rn -f encap
> Routing tables
>
> Encap:
> Source             Port  Destination        Port  Proto
> SA(Address/Proto/Type/Direction)
> 192.168.82/24      0     192.168.100/24     0     0     10.0.0.1/50/use/in
> 192.168.100/24     0     192.168.82/24      0     0
> 10.0.0.1/50/require/out
> WG8168#
>
> 	In west box, /kern/ipsec reads:
>
> WG8168# cat /kern/ipsec
> Hashmask: 31, policy entries: 2
> SPI = 697be132, Destination = 10.0.0.1, Sproto = 50
>         Established 702 seconds ago
>         Source = 10.0.0.2
>         Flags (00001082) = <tunneling>
>         Crypto ID: 4
>         xform = <IPsec ESP>
>                 Encryption = <3DES>
>                 Authentication = <HMAC-SHA1>
>         0 bytes processed by this SA
>         Expirations:
>                 Hard expiration(1) in 498 seconds
>                 Soft expiration(1) in 378 seconds
>
> SPI = 85bce20d, Destination = 10.0.0.1, Sproto = 50
>         Established 706 seconds ago
>         Source = 10.0.0.2
>         Flags (00001082) = <tunneling>
>         Crypto ID: 2
>         xform = <IPsec ESP>
>                 Encryption = <3DES>
>                 Authentication = <HMAC-SHA1>
>         0 bytes processed by this SA
>         Expirations:
>                 Hard expiration(1) in 494 seconds
>                 Soft expiration(1) in 374 seconds
>
> SPI = f1b95213, Destination = 10.0.0.2, Sproto = 50
>         Established 706 seconds ago
>         Source = 10.0.0.1
>         Flags (00001082) = <tunneling>
>         Crypto ID: 1
>         xform = <IPsec ESP>
>                 Encryption = <3DES>
>                 Authentication = <HMAC-SHA1>
>         0 bytes processed by this SA
>         Expirations:
>                 Hard expiration(1) in 494 seconds
>                 Soft expiration(1) in 374 seconds
>
> SPI = 7270ec39, Destination = 10.0.0.2, Sproto = 50
>         Established 702 seconds ago
>         Source = 10.0.0.1
>         Flags (00001082) = <tunneling>
>         Crypto ID: 3
>         xform = <IPsec ESP>
>                 Encryption = <3DES>
>                 Authentication = <HMAC-SHA1>
>         0 bytes processed by this SA
>         Expirations:
>                 Hard expiration(1) in 498 seconds
>                 Soft expiration(1) in 378 seconds
>
> WG8168#
>
>
> 	In east box, /kern/ipsec reads:
>
> WG8168# cat /kern/ipsec
> Hashmask: 31, policy entries: 2
> SPI = 697be132, Destination = 10.0.0.1, Sproto = 50
>         Established 837 seconds ago
>         Source = 10.0.0.2
>         Flags (00001082) = <tunneling>
>         Crypto ID: 3
>         xform = <IPsec ESP>
>                 Encryption = <3DES>
>                 Authentication = <HMAC-SHA1>
>         0 bytes processed by this SA
>         Expirations:
>                 Hard expiration(1) in 363 seconds
>                 Soft expiration(1) in 243 seconds
>
> SPI = 7270ec39, Destination = 10.0.0.2, Sproto = 50
>         Established 837 seconds ago
>         Source = 10.0.0.1
>         Flags (00001082) = <tunneling>
>         Crypto ID: 4
>         xform = <IPsec ESP>
>                 Encryption = <3DES>
>                 Authentication = <HMAC-SHA1>
>         0 bytes processed by this SA
>         Expirations:
>                 Hard expiration(1) in 363 seconds
>                 Soft expiration(1) in 243 seconds
>
> SPI = 85bce20d, Destination = 10.0.0.1, Sproto = 50
>         Established 841 seconds ago
>         Source = 10.0.0.2
>         Flags (00001082) = <tunneling>
>         Crypto ID: 1
>         xform = <IPsec ESP>
>                 Encryption = <3DES>
>                 Authentication = <HMAC-SHA1>
>         0 bytes processed by this SA
>         Expirations:
>                 Hard expiration(1) in 359 seconds
>                 Soft expiration(1) in 239 seconds
>
> SPI = f1b95213, Destination = 10.0.0.2, Sproto = 50
>         Established 841 seconds ago
>         Source = 10.0.0.1
>         Flags (00001082) = <tunneling>
>         Crypto ID: 2
>         xform = <IPsec ESP>
>                 Encryption = <3DES>
>                 Authentication = <HMAC-SHA1>
>         0 bytes processed by this SA
>         Expirations:
>                 Hard expiration(1) in 359 seconds
>                 Soft expiration(1) in 239 seconds
>
> WG8168#
>
> 	Since I don't see the esp/spi packets going in and out with tcpdump
> output, my vpn setup is not working. Any idea what am I mising?
>
>
> Regards,
> TEH