IPSec pinging between packets between interfaces...

snapple42 · January 13, 2015, 5:12pm

Hi All…

I’m still struggling with VPN’s…

I have an IPSEC tunnel up and running with an external site.

I can ping External site -> vpn -> vpn server and vpn-server -> vpn -> exernal site

When I try to ping a server from the external site, to the internal site or reverse, nothing gets through.

I can see the pings going out to the far end server, and the replys being sent back, but those responses can’t make the jump from eth1 (vpn) to eth0 (internal network)…

Anyone able to help? I’ve attached my config:

Here are some pings to/from servers:

listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:09:22.009530 IP 206.XXX.XXX.XXX > AAA.XXX.XXX.97: ICMP echo request, id 1024, seq 4228, length 24
17:09:22.389161 IP 192.168.35.104 > 192.168.30.10: ICMP echo request, id 1, seq 474, length 40
17:09:22.390801 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 474, length 40
17:09:22.390843 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 474, length 40
17:09:27.168816 IP 192.168.35.104 > 192.168.30.10: ICMP echo request, id 1, seq 475, length 40
17:09:27.170338 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 475, length 40
17:09:27.170380 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 475, length 40
17:09:32.034946 IP 206.XXX.XXX.XXX > AAA.XXX.XXX.97: ICMP echo request, id 1024, seq 4528, length 24
17:09:32.168716 IP 192.168.35.104 > 192.168.30.10: ICMP echo request, id 1, seq 476, length 40
17:09:32.170232 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 476, length 40
17:09:32.170279 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 476, length 40
17:09:37.168916 IP 192.168.35.104 > 192.168.30.10: ICMP echo request, id 1, seq 477, length 40
17:09:37.170482 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 477, length 40
17:09:37.170526 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 477, length 40
17:09:42.060666 IP 206.XXX.XXX.XXX > AAA.XXX.XXX.97: ICMP echo request, id 1024, seq 4928, length 24
17:09:42.168839 IP 192.168.35.104 > 192.168.30.10: ICMP echo request, id 1, seq 478, length 40
17:09:42.170381 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 478, length 40
17:09:42.170422 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 478, length 40
17:09:47.168970 IP 192.168.35.104 > 192.168.30.10: ICMP echo request, id 1, seq 479, length 40
17:09:47.170545 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 479, length 40
17:09:47.170592 IP 192.168.30.10 > 192.168.35.104: ICMP echo reply, id 1, seq 479, length 40

I am ping ing from 192.168.35.104 to 192.168.30.10… 192.168.35.104 allways times out on pings…

Thanks!
Derrick

snapple42 · January 14, 2015, 2:20pm

I think I’ve tracked it down… one thing I forgot to mention was it was running under Openstack…

I can see the pings on the TAP interface on the bare metal host, but they don’t leave the server…

Will follow up with what I find…

snapple42 · January 14, 2015, 3:32pm

Found the problem…

Bridge Netfilters were blocking the packets… fixed with:
echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables