With the following setup (two providers, two ipsec tunnels both of them "INSTALLED" following ipsec status) I get only one entry in tabel 220: providers: tcom 1 0x100 - ppp0 - balance=2 - netco 2 0x200 - eth4 aaa.bbb.77.217 balance=1 - tcrules: 0x100:P 0.0.0.0/0 0x100 $FW 0x200 - aaa.bbb.77.202 zones: pktgh ipsec mode=tunnel mss=1024 # Praxis G jung ipsec mode=tunnel mss=1024 # diagnostics hosts: pktgh eth4:192.168.223.0/24,aaa.bbb.77.202 ipsec jung ppp0:192.168.1.0/24 ipsec root@router-pikt-1:~# ip route show table 220 192.168.223.0/24 via aaa.bbb.77.217 dev eth4 proto static src 192.168.222.241 192.168.223.71 is pingable. A ping to 192.168.1.4 isn''t successful. Why there is missing an entry for 192.168.1.0/24 src 192.168.222.241 in table 220? Axel -- Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau. ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
-- Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau. ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
On 10/28/2013 10:07 AM, Axel Zöllich wrote:> With the following setup (two providers, two ipsec tunnels both of them > "INSTALLED" following ipsec status) I get only one entry in tabel 220: > > providers: > tcom 1 0x100 - ppp0 - > balance=2 - > netco 2 0x200 - eth4 aaa.bbb.77.217 > balance=1 - > > tcrules: > 0x100:P 0.0.0.0/0 > 0x100 $FW > 0x200 - aaa.bbb.77.202 > > zones: > pktgh ipsec mode=tunnel mss=1024 > # Praxis G > jung ipsec mode=tunnel mss=1024 > # diagnostics > > hosts: > pktgh eth4:192.168.223.0/24,aaa.bbb.77.202 ipsec > jung ppp0:192.168.1.0/24 ipsec > > root@router-pikt-1:~# ip route show table 220 > 192.168.223.0/24 via aaa.bbb.77.217 dev eth4 proto static src > 192.168.222.241 > > 192.168.223.71 is pingable. > A ping to 192.168.1.4 isn''t successful. > > Why there is missing an entry for 192.168.1.0/24 src 192.168.222.241 in table > 220?There is no provider 220, so Shorewall is not maintaining that table. Where are you pinging from? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
Am Montag, 28. Oktober 2013, 11:56:08 schrieb Tom Eastep:> On 10/28/2013 10:07 AM, Axel Zöllich wrote: > > With the following setup (two providers, two ipsec tunnels both of them > > "INSTALLED" following ipsec status) I get only one entry in tabel 220: > > > > providers: > > tcom 1 0x100 - ppp0 - > > balance=2 - > > netco 2 0x200 - eth4 aaa.bbb.77.217 > > balance=1 - > > > > tcrules: > > 0x100:P 0.0.0.0/0 > > 0x100 $FW > > 0x200 - aaa.bbb.77.202 > > > > zones: > > pktgh ipsec mode=tunnel mss=1024 > > # Praxis G > > jung ipsec mode=tunnel mss=1024 > > # diagnostics > > > > hosts: > > pktgh eth4:192.168.223.0/24,aaa.bbb.77.202 ipsec > > jung ppp0:192.168.1.0/24 ipsec > > > > root@router-pikt-1:~# ip route show table 220 > > 192.168.223.0/24 via aaa.bbb.77.217 dev eth4 proto static src > > 192.168.222.241 > > > > 192.168.223.71 is pingable. > > A ping to 192.168.1.4 isn''t successful. > > > > Why there is missing an entry for 192.168.1.0/24 src 192.168.222.241 in > > table 220? > > There is no provider 220, so Shorewall is not maintaining that table.But where the table is comming from?> Where are you pinging from? >From the router itself whith the following networkinterfaces:auto eth0 iface eth0 inet static address 192.168.222.241 netmask 255.255.255.0 gateway 192.168.222.241 auto eth1 iface eth1 inet static address 192.168.122.189 netmask 255.255.255.252 up route add -host 172.18.1.1/32 gw 192.168.122.190 auto eth3 iface eth3 inet static address 192.168.122.97 netmask 255.255.255.224 auto eth4 iface eth4 inet static address 212.117.77.218 netmask 255.255.255.248 up ip addr add 212.117.77.222/29 brd 212.117.77.223 dev eth4 label eth4:0 auto dsl-provider iface dsl-provider inet ppp pre-up /sbin/ifconfig eth5 up # line maintained by pppoeconf provider dsl-provider auto eth5 iface eth5 inet manual post-up /sbin/ip addr add 192.168.57.242/30 dev eth5 Axel -- Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau. ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
On 10/28/2013 12:17 PM, Axel Zöllich wrote:> Am Montag, 28. Oktober 2013, 11:56:08 schrieb Tom Eastep: >> On 10/28/2013 10:07 AM, Axel Zöllich wrote: >>> With the following setup (two providers, two ipsec tunnels both of them >>> "INSTALLED" following ipsec status) I get only one entry in tabel 220: >>> >>> providers: >>> tcom 1 0x100 - ppp0 - >>> balance=2 - >>> netco 2 0x200 - eth4 aaa.bbb.77.217 >>> balance=1 - >>> >>> tcrules: >>> 0x100:P 0.0.0.0/0 >>> 0x100 $FW >>> 0x200 - aaa.bbb.77.202 >>> >>> zones: >>> pktgh ipsec mode=tunnel mss=1024 >>> # Praxis G >>> jung ipsec mode=tunnel mss=1024 >>> # diagnostics >>> >>> hosts: >>> pktgh eth4:192.168.223.0/24,aaa.bbb.77.202 ipsec >>> jung ppp0:192.168.1.0/24 ipsec >>> >>> root@router-pikt-1:~# ip route show table 220 >>> 192.168.223.0/24 via aaa.bbb.77.217 dev eth4 proto static src >>> 192.168.222.241 >>> >>> 192.168.223.71 is pingable. >>> A ping to 192.168.1.4 isn''t successful. >>> >>> Why there is missing an entry for 192.168.1.0/24 src 192.168.222.241 in >>> table 220? >> >> There is no provider 220, so Shorewall is not maintaining that table. > But where the table is comming from?Not Shorewall.> >> Where are you pinging from? >>From the router itself whith the following networkinterfaces:With what source IP address>? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> >> There is no provider 220, so Shorewall is not maintaining that table. > > > > But where the table is comming from? > > Not Shorewall.but stongswan or pppd? I''m getting more and more lost. The final routingtable(s) is a mixture from different sources, but which rules are under the control of shorewall?> >> Where are you pinging from? > >> > >>From the router itself whith the following networkinterfaces: > With what source IP address>?Nice question... ping 192.168.1.4 No response. ping -I 192.168.222.241 192.168.1.4 I get an answer. Thank you for this hint with promissing result, but I don''t understand what im doing. Axel -- Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau. ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
On 10/28/2013 12:58 PM, Axel Zöllich wrote:>>>> There is no provider 220, so Shorewall is not maintaining that table. >>> >>> But where the table is comming from? >> >> Not Shorewall. > > but stongswan or pppd? > I''m getting more and more lost. > The final routingtable(s) is a mixture from different sources, but which rules > are under the control of shorewall? > >>>> Where are you pinging from? >>>> >>> >From the router itself whith the following networkinterfaces: >> With what source IP address>? > Nice question... > > ping 192.168.1.4 > No response. > > ping -I 192.168.222.241 192.168.1.4 > I get an answer. > > Thank you for this hint with promissing result, but I don''t understand what im > doing.IPSEC doesn''t depend on routing to direct the tunneled traffic. It rather uses the Security Policy Database (SPD). You can see the contents of the SPD in the ''shorewall dump'' output. An SPD entry basically says "If a packet with a matching source address, destination address, and protocol" is sent, then it should be handled in a particular way. There is a presentation on this subject at http://www.shorewall.net/LinuxFest2005.pdf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> >>>> Where are you pinging from? > >> With what source IP address>?> IPSEC doesn''t depend on routing to direct the tunneled traffic. It > rather uses the Security Policy Database (SPD). You can see the contents > of the SPD in the ''shorewall dump'' output. > > An SPD entry basically says "If a packet with a matching source address, > destination address, and protocol" is sent, then it should be handled in > a particular way.Which rises the question which IP ping uses as source IP if der is no -I option? In my case it''s the IP of ppp0. Is this generally spoken the IP of the first local interface passed during ping? Axel -- Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau. ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> Which rises the question which IP ping uses as source IP if der is no -I > option? In my case it''s the IP of ppp0. > Is this generally spoken the IP of the first local interface passed during > ping?As far as a understand now ping uses the ''src'' argument one can see in ''ip route''. Axel -- Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau. ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
On 10/30/2013 9:41 AM, Axel Zöllich wrote:>> Which rises the question which IP ping uses as source IP if der is no -I >> option? In my case it''s the IP of ppp0. >> Is this generally spoken the IP of the first local interface passed during >> ping? > > As far as a understand now ping uses the ''src'' argument one can see in ''ip > route''.That''s correct. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk