[ale] VPN (s are) hell

[Dow Hurst]

One way of troubleshooting such a setup is to have four machines in a 
testbed separated from any other network.  Is that what your working 
on?  That way you won't risk the real LANs.  Are you sure your routing 
TCP and UDP traffic properly?  You might have the rules but not the 
routes installed correctly.  You could post your netstat -rn for us.

For later, when the thing is working:
If the VPN dies what will happen to the packets intended for LAN from 
the other LAN?  Will they leave the originating LAN and then will they 
be received by the other end but just not go thru the tunnel since that 
died?  How specific are you on your ruleset and routing?
Dow


James P. Kinney III wrote:

>I have a new VPN I'm setting up and it just isn't working right. I'm
>sure its a firewall issue but I'm stumped.
>
>It's a net-to-net setup using OpenSwan on the gateways. From one end on
>the LAN, I can ping another machine on the other LAN by IP address.
>However, I _can't_ ping back the other way which is why I think it's a
>firewall issue. I can see the traffic moving with tcpdump running on
>multiple interfaces. I can see the ESP packets leaving and returning to
>the external interfaces and I can the the decrypted packets entering the
>LAN interfaces. I did some ping size tests and can get a max MTU of
>15236 which is bigger than normal.
>
>I can't get jack else through the tunnel. No ssh, no http, no netbios,
>no telnet, nada, bipcus. 
>
>I set up a rule in iptables  on both ends to not NAT the traffic for the
>other end (I don't expect I should be seeing any pings work otherwise).
>
>I have both ends of the firewall so open I'm worried right now.
>
>So I have developed a one way ping tunnel.  Argghhhhh.
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>