Ipsec with SA established, but NO traffic
Jan Koukal
Jan.Koukal at fs.cvut.cz
Wed Oct 3 13:20:35 CEST 2007
Dekuji za odpoved,bud dal patrat.
88.200.30.145 je opravdu stroj, na který funguje druhy tunel,overeno.
I když by to mozna bylo do nejake Linux konference, dumpnul jsem si
konfiguraci z IpCopa,88.200.30.145 a tady je:
IPCOP
___________________________________________________________________
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:30:05:1A:76:33
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3041436 errors:0 dropped:0 overruns:0 frame:0
TX packets:4867075 errors:0 dropped:0 overruns:1 carrier:0
collisions:0 txqueuelen:1000
RX bytes:680987864 (649.4 MB) TX bytes:2941204034 (2804.9 MB)
Interrupt:11 Base address:0x4400 Memory:e8104000-e8104038
eth1 Link encap:Ethernet HWaddr 00:04:E2:B8:AB:4E
inet addr:88.200.30.2 Bcast:88.200.30.3 Mask:255.255.255.252
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:4958841 errors:0 dropped:0 overruns:0 frame:0
TX packets:3075114 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3117555571 (2973.1 MB) TX bytes:795956129 (759.0 MB)
Interrupt:5 Memory:e8100000-0
ipsec0 Link encap:Ethernet HWaddr 00:04:E2:B8:AB:4E
inet addr:88.200.30.2 Mask:255.255.255.252
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:88454 errors:0 dropped:3218 overruns:0 frame:0
TX packets:85567 errors:0 dropped:76 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:50346631 (48.0 MB) TX bytes:46008002 (43.8 MB)
Tue Oct 2 14:11:59 CEST 2007
+ _________________________ version
+ ipsec --version
Linux Openswan 1.0.10rc2
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.31 (root at localhost.localdomain) (gcc version 3.3.3) #1 Fri
Aug 26 01:32:48 GMT 2005
+ _________________________ proc/net/ipsec_eroute
+ sort +3 /proc/net/ipsec_eroute
175 192.168.0.0/24:0 -> 192.168.1.0/24:0 =>
tun0x10f0 at 147.20.148.94:0
108 192.168.0.0/24:0 -> 192.168.2.0/24:0 =>
tun0x10ec at 62.168.77.35:0
+ _________________________ netstart-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.124.183.2 0.0.0.0 255.255.255.255 UH 0 0 0
tun0
88.200.30.0 0.0.0.0 255.255.255.252 U 0 0 0
eth1
88.200.30.0 0.0.0.0 255.255.255.252 U 0 0 0
ipsec0
192.168.2.0 88.200.30.1 255.255.255.0 UG 0 0 0
ipsec0
192.168.1.0 88.200.30.1 255.255.255.0 UG 0 0 0
ipsec0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.124.183.0 10.124.183.2 255.255.255.0 UG 0 0 0
tun0
0.0.0.0 88.200.30.1 0.0.0.0 UG 0 0 0
eth1
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
esp0x8a790411 at 88.200.30.2 ESP_3DES_HMAC_MD5: dir=in src=92.168.77.35
iv_bits=64bits iv=0x3d1088946b7d77a3 ooowin=64 ooo_errs=3 seq=92
bit=0xffffffffffffffff
alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(16088,0,0)addtime(1437,0,0)usetime(498,0,0)packets(92,0,0)
idle=109
tun0x10f0 at 147.20.148.94 IPIP: dir=out src=88.200.30.2
life(c,s,h)=bytes(18266,0,0)addtime(564,0,0)usetime(563,0,0)packets(175,0,0)
idle=41
esp0xf047f5c at 147.20.148.94 ESP_3DES_HMAC_MD5: dir=out src=88.200.30.2
iv_bits=64bits iv=0x34b81bdd1e9fe9be ooowin=64 seq=175 alen=128 aklen=128
eklen=192 life
(c,s,h)=bytes(23872,0,0)addtime(564,0,0)usetime(563,0,0)packets(175,0,0)
idle=41
esp0xee4a867 at 92.168.77.35 ESP_3DES_HMAC_MD5: dir=out src=88.200.30.2
iv_bits=64bits iv=0x2d72df71f26d104c ooowin=64 seq=108 alen=128 aklen=128
eklen=192 life(
c,s,h)=bytes(110752,0,0)addtime(1437,0,0)usetime(498,0,0)packets(108,0,0)
idle=110
tun0x10ec at 92.168.77.35 IPIP: dir=out src=88.200.30.2
life(c,s,h)=bytes(107135,0,0)addtime(1437,0,0)usetime(498,0,0)packets(108,0,
0) idle=110
tun0x10ef at 88.200.30.2 IPIP: dir=in src=147.20.148.94
policy=192.168.1.0/24->192.168.0.0/24 flags=0x8<>
life(c,s,h)=addtime(564,0,0)
tun0x10eb at 88.200.30.2 IPIP: dir=in src=92.168.77.35
policy=192.168.2.0/24->192.168.0.0/24 flags=0x8<>
life(c,s,h)=bytes(16088,0,0)addtime(1437,0,0)usetime(49
8,0,0)packets(92,0,0) idle=109
esp0x8a790413 at 88.200.30.2 ESP_3DES_HMAC_MD5: dir=in src=147.20.148.94
iv_bits=64bits iv=0xdb89e79efd60436f ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)
=addtime(564,0,0)
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x10f0 at 147.20.148.94 esp0xf047f5c at 147.20.148.94
tun0x10ec at 92.168.77.35 esp0xee4a867 at 92.168.77.35
tun0x10ef at 88.200.30.2 esp0x8a790413 at 88.200.30.2
tun0x10eb at 88.200.30.2 esp0x8a790411 at 88.200.30.2
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth1 mtu=16260(1443) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
Linux ipcop.des 2.4.31 #1 Fri Aug 26 01:32:48 GMT 2005 i686 GenuineIntel
unknown GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan 1.0.10rc2
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy DROP 66677 packets, 6084K bytes)
pkts bytes target prot opt in out source
destination
4446K 2254M ipac~o all -- * * 0.0.0.0/0
0.0.0.0/0
4446K 2254M BADTCP all -- * * 0.0.0.0/0
0.0.0.0/0
67051 3414K tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5
4444K 2254M CUSTOMINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
83585 7045K GUIINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
566 29048 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8
0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0
127.0.0.0/8 state NEW
0 0 ACCEPT !icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW
842 40416 ACCEPT all -- ipsec+ * 0.0.0.0/0
0.0.0.0/0
80079 6808K DHCPBLUEINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
80079 6808K IPSECRED all -- * * 0.0.0.0/0
0.0.0.0/0
80041 6802K OVPNINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
76728 6598K IPSECBLUE all -- * * 0.0.0.0/0
0.0.0.0/0
76582 6590K WIRELESSINPUT all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
76728 6598K REDINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
76582 6590K XTACCESS all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
35693 3374K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix
`INPUT '
Chain FORWARD (policy DROP 59 packets, 3456 bytes)
pkts bytes target prot opt in out source
destination
2566K 1352M ipac~fi all -- * * 0.0.0.0/0
0.0.0.0/0
2566K 1352M ipac~fo all -- * * 0.0.0.0/0
0.0.0.0/0
2566K 1352M BADTCP all -- * * 0.0.0.0/0
0.0.0.0/0
48259 2472K TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
2565K 1352M CUSTOMFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8
0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0
127.0.0.0/8 state NEW
0 0 ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW
422 39029 ACCEPT all -- ipsec+ * 0.0.0.0/0
0.0.0.0/0
8702 912K OVPNFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
627 30720 WIRELESSFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
627 30720 REDFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
627 30720 PORTFWACCESS all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
59 3456 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix
`OUTPUT '
Chain OUTPUT (policy ACCEPT 6224K packets, 2580M bytes)
pkts bytes target prot opt in out source
destination
6224K 2580M ipac~i all -- * * 0.0.0.0/0
0.0.0.0/0
6224K 2580M CUSTOMOUTPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain BADTCP (2 references)
pkts bytes target prot opt in out source
destination
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x29
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x01
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
3115 212K NEWNOTSYN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
Chain BOT_FORWARD (1 references)
pkts bytes target prot opt in out source
destination
2149 102K ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 icmp type 3 code 1
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 icmp type 5 code 0
8174 514K ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 icmp type 8
670K 390M ACCEPT all -- eth0 * 192.168.0.20
0.0.0.0/0
1979 90318 ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:995
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- eth0 * 192.168.0.0/24
0.0.0.0/0 udp dpt:22
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:993
8810 501K ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:3389
85846 65M ACCEPT all -- eth0 * 192.168.0.0/24
10.124.183.0/24
41408 16M ACCEPT all -- eth0 * 192.168.0.62
0.0.0.0/0
228K 12M ACCEPT all -- eth0 * 192.168.0.106
0.0.0.0/0
3034 628K ACCEPT all -- eth0 * 192.168.0.152
0.0.0.0/0
11352 1491K ACCEPT all -- eth0 * 192.168.0.154
0.0.0.0/0
2682 501K ACCEPT all -- eth0 * 192.168.0.113
0.0.0.0/0
7 384 ACCEPT all -- eth0 * 192.168.0.0/24
192.168.1.0/24
0 0 ACCEPT all -- eth0 * 192.168.0.124
217.75.212.143
0 0 ACCEPT all -- eth0 * 192.168.0.150
0.0.0.0/0
41351 2556K ACCEPT all -- eth0 * 192.168.0.197
0.0.0.0/0
0 0 ACCEPT all -- eth0 * 192.168.0.124
194.149.116.62
1845 391K ACCEPT all -- eth0 * 192.168.0.128
0.0.0.0/0
0 0 ACCEPT all -- eth0 * 192.168.0.0/24
192.168.2.0/24
1345K 857M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
104K 4527K LOG all -- eth0 * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `GREEN-REJECT '
104K 4527K REJECT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain BOT_INPUT (1 references)
pkts bytes target prot opt in out source
destination
2418 130K ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 MAC 00:0A:E4:E7:85:C7 tcp dpt:445
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- eth0 * 192.168.0.0/24
0.0.0.0/0 udp dpt:445
739K 30M ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:222
24 1188 ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:53
27529 1841K ACCEPT udp -- eth0 * 192.168.0.0/24
0.0.0.0/0 udp dpt:53
999K 96M ACCEPT tcp -- eth0 * 192.168.0.0/24
0.0.0.0/0 tcp dpt:3128
2570K 2116M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
22383 3046K LOG all -- eth0 * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `GREEN-REJECT '
22383 3046K REJECT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source
destination
2565K 1352M BOT_FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source
destination
4444K 2254M BOT_INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain CUSTOMOUTPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain DHCPBLUEINPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain DMZHOLES (0 references)
pkts bytes target prot opt in out source
destination
Chain GUIINPUT (1 references)
pkts bytes target prot opt in out source
destination
2098 168K ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
Chain IPSECBLUE (1 references)
pkts bytes target prot opt in out source
destination
Chain IPSECRED (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT 47 -- eth1 * 0.0.0.0/0
0.0.0.0/0
1 104 ACCEPT esp -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:4500
Chain LOG_DROP (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain LOG_REJECT (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
pkts bytes target prot opt in out source
destination
2693 194K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix
`NEW not SYN? '
3115 212K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OVPNFORWARD (1 references)
pkts bytes target prot opt in out source
destination
8075 882K ACCEPT all -- tun+ * 0.0.0.0/0
0.0.0.0/0
Chain OVPNINPUT (1 references)
pkts bytes target prot opt in out source
destination
482 56236 ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:1194
2831 147K ACCEPT all -- tun+ * 0.0.0.0/0
0.0.0.0/0
Chain PORTFWACCESS (1 references)
pkts bytes target prot opt in out source
destination
14 672 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.0.20 tcp dpt:25
444 21312 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.0.20 tcp dpt:993
110 5280 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.0.20 tcp dpt:443
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
192.168.0.80 tcp dpt:10001
0 0 ACCEPT tcp -- eth1 * 147.32.160.156
192.168.0.20 tcp dpt:22
Chain PSCAN (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix
`TCP Scan? '
0 0 LOG udp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix
`UDP Scan? '
0 0 LOG icmp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix
`ICMP Scan? '
0 0 LOG all -f * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix
`FRAG Scan? '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain REDFORWARD (1 references)
pkts bytes target prot opt in out source
destination
Chain REDINPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain WIRELESSFORWARD (1 references)
pkts bytes target prot opt in out source
destination
Chain WIRELESSINPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain XTACCESS (1 references)
pkts bytes target prot opt in out source
destination
1 52 ACCEPT tcp -- eth1 * 0.0.0.0/0
88.200.30.2 tcp dpt:222
10050 514K ACCEPT tcp -- eth1 * 0.0.0.0/0
88.200.30.2 tcp dpt:445
Chain ipac~fi (1 references)
pkts bytes target prot opt in out source
destination
427 64747 all -- eth0 * 0.0.0.0/0
0.0.0.0/0
44 10474 all -- eth1 * 0.0.0.0/0
0.0.0.0/0
Chain ipac~fo (1 references)
pkts bytes target prot opt in out source
destination
141 26975 all -- * eth0 0.0.0.0/0
0.0.0.0/0
325 17354 all -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain ipac~i (1 references)
pkts bytes target prot opt in out source
destination
3222 3576K all -- * eth0 0.0.0.0/0
0.0.0.0/0
5459 1266K all -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain ipac~o (1 references)
pkts bytes target prot opt in out source
destination
1701 117K all -- eth0 * 0.0.0.0/0
0.0.0.0/0
5443 4381K all -- eth1 * 0.0.0.0/0
0.0.0.0/0
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/lib/ipsec/barf: line 197: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/lib/ipsec/barf: line 199: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/lib/ipsec/barf: line 201: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/lib/ipsec/barf: line 203: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 380K packets, 29M bytes)
pkts bytes target prot opt in out source
destination
380K 29M CUSTOMPREROUTING all -- * * 0.0.0.0/0
0.0.0.0/0
380K 29M SQUID all -- * * 0.0.0.0/0
0.0.0.0/0
380K 29M PORTFW all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 12948 packets, 1510K bytes)
pkts bytes target prot opt in out source
destination
76673 4668K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0
0.0.0.0/0
76673 4668K REDNAT all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 SNAT all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x1 to:192.168.0.1
Chain OUTPUT (policy ACCEPT 49438 packets, 2578K bytes)
pkts bytes target prot opt in out source
destination
Chain CUSTOMPOSTROUTING (1 references)
pkts bytes target prot opt in out source
destination
Chain CUSTOMPREROUTING (1 references)
pkts bytes target prot opt in out source
destination
Chain PORTFW (1 references)
pkts bytes target prot opt in out source
destination
14 672 DNAT tcp -- * * 0.0.0.0/0
88.200.30.2 tcp dpt:25 to:192.168.0.20:25
444 21312 DNAT tcp -- * * 0.0.0.0/0
88.200.30.2 tcp dpt:993 to:192.168.0.20:993
110 5280 DNAT tcp -- * * 0.0.0.0/0
88.200.30.2 tcp dpt:443 to:192.168.0.20:443
0 0 DNAT tcp -- * * 0.0.0.0/0
88.200.30.2 tcp dpt:10001 to:192.168.0.80:10001
59 3456 DNAT tcp -- * * 0.0.0.0/0
88.200.30.2 tcp dpt:22 to:192.168.0.20:22
Chain REDNAT (1 references)
pkts bytes target prot opt in out source
destination
63725 3158K MASQUERADE all -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain SQUID (1 references)
pkts bytes target prot opt in out source
destination
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/lib/ipsec/barf: line 207: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/lib/ipsec/barf: line 209: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 7156K packets, 3718M bytes)
pkts bytes target prot opt in out source
destination
7156K 3718M PORTFWMANGLE all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 4446K packets, 2254M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 2566K packets, 1352M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 6224K packets, 2580M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 8685K packets, 3927M bytes)
pkts bytes target prot opt in out source
destination
Chain PORTFWMANGLE (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK tcp -- * * 192.168.0.0/24
88.200.30.2 tcp dpt:25 MARK set 0x1
0 0 MARK tcp -- * * 192.168.0.0/24
88.200.30.2 tcp dpt:993 MARK set 0x1
0 0 MARK tcp -- * * 192.168.0.0/24
88.200.30.2 tcp dpt:443 MARK set 0x1
0 0 MARK tcp -- * * 192.168.0.0/24
88.200.30.2 tcp dpt:10001 MARK set 0x1
0 0 MARK tcp -- * * 192.168.0.0/24
88.200.30.2 tcp dpt:22 MARK set 0x1
+ _________________________ proc/modules
+ cat /proc/modules
tun 3264 3 (autoclean)
ipsec_twofish 35332 0 (unused)
ipsec_sha2 7800 0 (unused)
ipsec_sha1 18488 0 (unused)
ipsec_serpent 11076 0 (unused)
ipsec_md5 4440 4
ipsec_blowfish 8420 0 (unused)
ipsec_aes 31624 0 (unused)
ipsec_3des 17052 4
ipsec 255268 2 [ipsec_twofish ipsec_sha2 ipsec_sha1
ipsec_serpent ipsec_md5 ipsec_blowfish ipsec_aes ipsec_3des]
ipt_MARK 696 5 (autoclean)
sch_ingress 1380 1 (autoclean)
cls_u32 4380 5 (autoclean)
sch_sfq 3008 3 (autoclean)
sch_htb 18688 1 (autoclean)
ipt_MASQUERADE 1272 1 (autoclean)
ipt_mac 568 1 (autoclean)
ipt_mark 440 1 (autoclean)
ipt_TCPMSS 2168 1 (autoclean)
ipt_state 504 17 (autoclean)
ipt_REJECT 2968 3 (autoclean)
ipt_LOG 3616 11 (autoclean)
ipt_limit 792 10 (autoclean)
iptable_mangle 2008 1 (autoclean)
iptable_filter 1612 1 (autoclean)
sk98lin 133096 1
e100 44436 1
ip_nat_quake3 1864 0 (unused)
ip_conntrack_quake3 1992 1
ip_nat_proto_gre 1316 0 (unused)
ip_nat_pptp 2156 0 (unused)
ip_conntrack_pptp 2641 1
ip_conntrack_proto_gre 2069 0 [ip_nat_pptp ip_conntrack_pptp]
ip_nat_mms 2736 0 (unused)
ip_conntrack_mms 2928 1
ip_nat_irc 2032 0 (unused)
ip_conntrack_irc 2864 1
ip_nat_h323 2380 0 (unused)
ip_conntrack_h323 2161 1
ip_nat_ftp 2512 0 (unused)
ip_conntrack_ftp 3664 1
iptable_nat 16142 8 [ipt_MASQUERADE ip_nat_quake3
ip_nat_proto_gre ip_nat_pptp ip_nat_mms ip_nat_irc ip_nat_h323 ip_nat_ftp]
ip_conntrack 19480 7 [ipt_MASQUERADE ipt_state ip_nat_quake3
ip_conntrack_quake3 ip_nat_pptp ip_conntrack_pptp ip_conntrack_proto_gre
ip_nat_mms ip_conntrack_mms ip_nat_irc ip_conntrack_irc ip_nat_h323
ip_conntrack_h323 ip_nat_ftp ip_conntrack_ftp iptable_nat]
ip_tables 10944 14 [ipt_MARK ipt_MASQUERADE ipt_mac ipt_mark
ipt_TCPMSS ipt_state ipt_REJECT ipt_LOG ipt_limit iptable_mangle
iptable_filter iptable_nat]
thermal 6340 0 (unused)
processor 8408 0 [thermal]
fan 1504 0 (unused)
button 2572 0 (unused)
battery 5696 0 (unused)
ac 1696 0
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 528252928 388173824 140079104 0 26718208 242171904
Swap: 71299072 1847296 69451776
MemTotal: 515872 kB
MemFree: 136796 kB
MemShared: 0 kB
Buffers: 26092 kB
Cached: 235884 kB
SwapCached: 612 kB
Active: 163548 kB
Inactive: 99096 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515872 kB
LowFree: 136796 kB
SwapTotal: 69628 kB
SwapFree: 67824 kB
-----Original Message-----
From: users-l-bounces at freebsd.cz [mailto:users-l-bounces at freebsd.cz] On
Behalf Of Dan Lukes
Sent: Wednesday, October 03, 2007 11:10 AM
To: FreeBSD mailing list
Subject: Re: Ipsec with SA established, but NO traffic
Jan Koukal napsal/wrote, On 10/03/07 10:43:
> I try tcpdump on both endpoints.On IpCop is see that my ICMP packets
> go through ipsec0 interface,but on Pfsence I see in tcpdump on
> external interface "Destination host unreachable 50"
> Tcpdump on external interface on command, ping -S 192.168.1.1
> 192.168.0.1
>
> 10:13:21.140393 IP 147.20.148.94 > 88.200.30.145:
> ESP(spi=0x0e9927b4,seq=0x98), length 116
> 10:13:21.151791 IP 88.200.30.145 > 147.20.148.94: ICMP 88.200.30.145
> protocol 50 unreachable, length 144
protocol 50 (= ESP) unreachable by tedy znamenalo, ze neco na tom
stroji driv ESP umelo a ted neumi.
Nejsem si uplne jisty - ten 88.200.30.145 je ten, na ktery je i ten
druhy, funkcni, tunel ?
Pokud ano, bylo by to opravdu divny - snad jen nejaky lokalni
firewall (ten by ale mel vracet spis administratively prohibited, pokud je
administrator slusnak) nebo hruba chyba konfigurace. Tu tam ale na prvni
pohled nevidim.
Pokud ne a jde o jediny IPSEC na tomto stroji, pak je nejsnazsi
mozna vysvetleni ze doslo ke zmene v instalovanych komponentach ci
pouzivanych knihovnach nebo optionech KERNELu.
Dan
--
Dan Lukes SISAL MFF UK
AKA: dan at obluda.cz, dan at freebsd.cz, dan at (kolej.)mff.cuni.cz
--
FreeBSD mailing list (users-l at freebsd.cz)
http://www.freebsd.cz/listserv/listinfo/users-l
More information about the Users-l
mailing list