Wir haben das Problem gelöst, indem wir auf jedem Gerät alle 5 Minuten ein Keepalive hinzugefügt haben, das auf LAN-IP des Remote-Geräts verweist. Dem Workarounds! :)
IPsec-Tunnel-Modus - Ping funktioniert nicht nach 15 Minuten ohne Verkehr
337
Erik
Ich habe eine IPsec-Verbindung (Tunnelmodus), bei der nach ca. 15 Minuten ohne Datenverkehr der Ping nicht mehr funktioniert und nur dann wieder aufgenommen werden kann, wenn Ping vom anderen Ende initiiert wird.
Das Setup besteht aus zwei Routern, die Linux Openswan 1.5.13-6-g96f6187-dirty (klips) verwenden.
Nachfolgend finden Sie die Configs und die Protokolle, wenn es funktioniert und wenn nicht.
Ich bin ziemlich neu bei IPsec. Ich habe versucht, rekey zu aktivieren und zu komprimieren, aber ohne Glück. Die iptables sehen identisch aus, wenn Ping funktioniert und funktioniert nicht mehr.
Gerät_1
config setup interfaces="ipsec0=wwan0" klipsdebug=all plutodebug=all plutostderrlog=/var/logs/ipsecerr.log uniqueids=no protostack=klips conn %default keyingtries=0 authby=secret connaddrfamily=ipv4 type=tunnel dpddelay=30 dpdtimeout=120 dpdaction=restart compress=no rekey=no auto=start leftupdown="ipsec _updown" conn remote leftid=@Device_1 left=82.79.119.159 leftsubnet=10.0.0.0/24 leftsourceip=10.0.0.250 #leftnexthop= rightid=@Device_2 right=82.79.119.160 rightsubnet=10.0.1.5/24 #rightsourceip= #rightnexthop= auto=start conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn OEself auto=ignore Device_2
config setup interfaces="ipsec0=wwan0" klipsdebug=all plutodebug=all plutostderrlog=/var/logs/ipsecerr.log uniqueids=no protostack=klips conn %default keyingtries=0 authby=secret connaddrfamily=ipv4 type=tunnel dpddelay=30 dpdtimeout=120 dpdaction=restart compress=no rekey=no auto=start leftupdown="ipsec _updown" conn remote leftid=@Device_2 left=82.79.119.160 leftsubnet=10.0.1.0/24 leftsourceip=10.0.1.250 #leftnexthop= rightid=@Device_1 right=82.79.119.159 rightsubnet=10.0.0.5/24 #rightsourceip= #rightnexthop= auto=start conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn OEself auto=ignore Protokolle
Wenn Ping funktioniert:
ipsec_tunnel_start_xmit: STARTING klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00 klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28 klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1 klips_debug:rj_match: * See if we match exactly as a host destination klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0 klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0 ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested. ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556. klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160 klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0 klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0 klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24 klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 . klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84 klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427 klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader. klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped. klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4. klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform. klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286. ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291. klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108. klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform. klips_debug:skb_compress: . klips_debug:skb_compress: skipping compression of tiny packet, len=84. klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1). klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286. ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291. klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50. klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform. klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c32f164c ilen=96 iv=c32f163c, encrypt=1 klips_debug:ipsec_alg_esp_encrypt: returned ret=96 klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29767 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286. klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50 klips_debug:rj_match: * See if we match exactly as a host destination klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0 klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0 klips_debug:rj_match: **** t=0pc31f8bf8 klips_debug:rj_match: **** t=0pc3172680 klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0 klips_debug:rj_match: ***** not found. klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136 klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136 klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0 klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29673 saddr:82.79.119.159 daddr:82.79.119.160 klips_debug: ipsec_rcv_init(st=0,nxt=1) klips_debug:ipsec_rcv_init: <<< Info -- skb->dev=wwan0 klips_debug:ipsec_rcv_init: assigning packet ownership to virtual device ipsec0 from physical device wwan0. klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:61055 frag_off:0 ttl:63 proto:50 (ESP) chk:63702 saddr:82.79.119.160 daddr:82.79.119.159 klips_debug: ipsec_rcv_decap_init(st=1,nxt=2) klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3) klips_debug: ipsec_rcv_auth_init(st=3,nxt=4) ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=158 of SA:esp.1f2673db@82.79.119.159 requested. ipsec_sa_get: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (3++) incremented by ipsec_sa_getbyid:556. klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159, src=82.79.119.160 of pkt agrees with expected SA source address policy. klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159 First SA in group. klips_debug:ipsec_rcv_auth_init: natt_type=0 tdbp->ips_natt_type=0 : ok klips_debug:ipsec_rcv: packet from 82.79.119.160 received with seq=19 (iv)=0x77865e0e44db14b0 iplen=132 esplen=120 sa=esp.1f2673db@82.79.119.159 klips_debug: ipsec_rcv_auth_calc(st=5,nxt=6) klips_debug:ipsec_rcv_auth_calc: encalg = 12, authalg = 3. klips_debug: ipsec_rcv_auth_chk(st=6,nxt=7) - will check klips_debug:ipsec_rcv_auth_chk: authentication successful. klips_debug: ipsec_rcv_decrypt(st=7,nxt=8) klips_debug:ipsec_rcv: encalg=12 esphlen=24 klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308240 idat=c3bd223c ilen=96 iv=c3bd222c, encrypt=0 klips_debug:ipsec_alg_esp_encrypt: returned ret=96 klips_debug:ipsec_rcv_esp_post_decrypt: padlen=10, contents: 0x<offset>: 0x<value> 0x<value> ... klips_debug: 00: 01 02 03 04 05 06 07 08 09 0a klips_debug:ipsec_rcv_esp_post_decrypt: packet decrypted from 82.79.119.160: next_header = 4, padding = 10 klips_debug:ipsec_rcv: trimming to 84. klips_debug: ipsec_rcv_decap_cont(st=8,nxt=9) klips_debug: ipsec_rcv_auth_chk(st=8,nxt=9) - already checked klips_debug:ipsec_rcv_decap_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.1f2673db@82.79.119.159: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:61055 frag_off:0 ttl:63 proto:4 chk:63796 saddr:82.79.119.160 daddr:82.79.119.159 klips_debug:ipsec_rcv_decap_cont: SA:esp.1f2673db@82.79.119.159, Another IPSEC header to process. klips_debug: ipsec_rcv_cleanup(st=9,nxt=11) ipsec_sa_get: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (3++) incremented by ipsec_rcv_cleanup:1798. ipsec_sa_get: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (3++) incremented by ipsec_rcv_cleanup:1815. ipsec_sa_put: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (4--) decremented by ipsec_rcv_cleanup:1818. klips_debug:ipsec_rcv_decap_ipip: IPIP tunnel stripped. klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:34482 frag_off:0 ttl:63 proto:1 (ICMP) chk:57325 saddr:10.0.1.5 daddr:10.0.0.5 type:code=0:0 klips_debug:ipsec_rcv_decap_ipip: IPIP SA sets skb->nfmark=0x800f0000. klips_debug: ipsec_rcv_complete(st=11,nxt=100) klips_debug:ipsec_rcv_complete: netif_rx(ipsec0) called. ipsec_sa_put: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (4--) decremented by ipsec_rsm:2019. ipsec_sa_put: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (4--) decremented by ipsec_rsm:2024. Wenn Ping nicht funktioniert:
ipsec_tunnel_start_xmit: STARTING klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00 klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28 klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1 klips_debug:rj_match: * See if we match exactly as a host destination klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0 klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0 ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested. ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556. klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160 klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0 klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0 klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24 klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 . klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84 klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427 klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader. klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped. klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4. klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform. klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286. ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291. klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108. klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform. klips_debug:skb_compress: . klips_debug:skb_compress: skipping compression of tiny packet, len=84. klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1). klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286. ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291. klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50. klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform. klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c320cc4c ilen=96 iv=c320cc3c, encrypt=1 klips_debug:ipsec_alg_esp_encrypt: returned ret=96 klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29765 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286. klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50 klips_debug:rj_match: * See if we match exactly as a host destination klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0 klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0 klips_debug:rj_match: **** t=0pc31f8bf8 klips_debug:rj_match: **** t=0pc3172680 klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0 klips_debug:rj_match: ***** not found. klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136 klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136 klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0 klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29671 saddr:82.79.119.159 daddr:82.79.119.160 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Control loopback interface input */ 0 0 ACCEPT udp -- wwan0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 /* Control web port connection attempts */ 0 0 ACCEPT tcp -- wwan0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */ 342 49352 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow incoming WAN traffic in response to established connection */ 0 0 DROP all -- wwan0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 35 11480 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 7 203 ACCEPT all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 27 2268 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 state NEW /* Forward new connection attempts out WAN port */ 464 38976 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Forward established connections (where?) */ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* Control loopback interface output */ 0 0 ACCEPT udp -- * wwan0 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 /* Control web port connection attempts */ 0 0 ACCEPT tcp -- * wwan0 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */ 0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 state NEW /* Allow new outbound WAN connections */ 360 52568 ACCEPT all -- * wwan0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
Es klingt eher nach einem Schnittstellenkonfigurationsproblem als nach einem VPN-Problem.
schroeder vor 5 Jahren
0
Auf welchem Betriebssystem laufen diese Router? Die von Ihnen erwähnte Openswan-Version scheint nirgendwo anders zu existieren. (Und die 1.x-Serie wäre gut 12 Jahre alt!)
grawity vor 5 Jahren
0
Ja, wir sind ziemlich alt. Höchstwahrscheinlich werden wir zu Strongswan wechseln und das Verhalten dort überprüfen. Danke Jungs!
Erik vor 5 Jahren
0
1 Antwort auf die Frage
0
Erik
Verwandte Probleme
-
4
Verbindung zu einem Checkpoint VPN-1 von Snow Leopard?
-
2
Wie oft wird IPsec in IPV4-Netzwerken verwendet?
-
1
Richten Sie L2TP auf Ubuntu 10.10 ein
-
1
Warum fügt xl2tpd / pppd eine Route für 192.0.0.0/8 hinzu, nachdem der Link aufgerufen wurde?
-
2
Wie stellen Sie über einen LinkSys WRT54GL eine Verbindung zu einem IPSec-VPN her?
-
1
Ist Windows IPsec wirklich erforderlich, wenn eine Firewall eines Drittanbieters verwendet wird?
-
2
Macbook Pro kann das Internet nicht verwenden, wenn eine Verbindung zu IPSec VPN besteht
-
1
IPSec-Tools bauen auf Ubuntu auf
-
1
VPN zurück zum Heimnetzwerk für sicheren IP-Verkehr?
-
1
Wird die Option Linke / rechte Firewall von StrongSwan UDP 500/4500 und Protokollnummer 50 auf der i...