I'm forwarding a message directly to me, with a permission of the
sender, because I myself do not have enough time to tackle this.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
> >>>>> On Tue, 4 Sep 2001 20:26:04 -0400,
> >>>>> "Matthew Emmerton" <[EMAIL PROTECTED]> said:
>
> > I've got a question for all of you net hackers.
> > When I configure a gif interface, why can't I ping the local endpoint on
the
> > inside of the tunnel? I've just been through hell and back trying to
get
> > some IPSec tunnels created (they're working now, thanks to all those who
> > helped me out), and this was one of my big stumbling blocks -- since I
> > couldn't ping the local or remote endpoint of the gif tunnel, I spent
much
> > time chasing down problems with gif when it wasn't a problem at all.
>
> Please be more specific. I guess we need at least
>
> - the version of the OS
> - the result of 'ifconfig -a'
> - the result of 'gifconfig -a'
> - the result of 'netstat -rnal'
> - the exact output of ping (do not *describe* the situation, please.
> just copy and paste the output -by script(1) etc-)
The information you requested is attached. I've also included a 'netstat -p
ipsec' and the output from 'setkey -D' and 'setkey -PD'. This is the
configuration for system on the one end of the tunnel; the other
configuration is identical with the expected IP address changes.
Telnet and other interactive sessions work fine across the link (and are ESP
encapsulated), but ping to the endpoints or remote systems do not.
--
Matt Emmerton
Script started on Thu Sep 6 10:32:28 2001
waterloo.heers.on.ca# uname -a
FreeBSD waterloo.heers.on.ca 4.3-RELEASE-p14 FreeBSD 4.3-RELEASE-p14 #4: Tue Aug 28
23:46:59 EDT 2001 [EMAIL PROTECTED]:/usr/src/sys/compile/HEERSNAT i386
waterloo.heers.on.ca# gifconfig -a
gif0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
inet 10.0.2.130 --> 10.0.2.2 netmask 0xffffffff
physical address inet 209.167.75.123 --> 209.167.75.124
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
physical address -->
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
physical address -->
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
physical address -->
gif4: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
physical address -->
gif5: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
physical address -->
waterloo.heers.on.ca# ifconfig -a
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:50:ba:56:16:3c
media: autoselect (none) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP
<full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.2.129 netmask 0xfffffff0 broadcast 10.0.2.143
ether 00:50:ba:56:16:37
media: autoselect (100baseTX <full-duplex>) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP
<full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
gif0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1280
inet 10.0.2.130 --> 10.0.2.2 netmask 0xffffffff
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif4: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif5: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> mtu 1492
inet 209.167.75.123 --> 171.68.187.1 netmask 0xffffff00
Opened by PID 158
tun1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
waterloo.heers.on.ca# netstat -rnal -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 171.68.187.1 UGSc 7 34558 tun0
10.0.2/26 10.0.2.2 UGSc 1 8521 gif0
10.0.2.2 10.0.2.130 UH 1 10 gif0
10.0.2.128/28 link#2 UC 0 0 rl1 =>
10.0.2.129 0:50:ba:56:16:37 UHLW 0 22 lo0
10.0.2.137 0:40:5:df:5a:25 UHLW 0 116 rl1 415
10.0.2.138 0:40:5:df:37:97 UHLW 0 2 rl1 1042
10.0.2.139 0:40:5:de:b5:4c UHLW 2 7488 rl1 348
65.93.38.74 171.68.187.1 UGHW 2 34726 tun0
127.0.0.1 127.0.0.1 UH 0 12 lo0
171.68.187.1 209.167.75.123 UH 4 0 tun0
207.139.193.66 171.68.187.1 UGHW3 0 34560 tun0 3568
209.167.75.124 171.68.187.1 UGHW 1 34558 tun0
waterloo.heers.on.ca# ping 10.0.2.2
PING 10.0.2.2 (10.0.2.2): 56 data bytes
^C
--- 10.0.2.2 ping statistics ---
15 packets transmitted, 0 packets received, 100% packet loss
waterloo.heers.on.ca# ping 10.0.2.130
PING 10.0.2.130 (10.0.2.130): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
^C
--- 10.0.2.130 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss
waterloo.heers.on.ca# ping 10.0.2.1
PING 10.0.2.1 (10.0.2.1): 56 data bytes
^C
--- 10.0.2.1 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
waterloo.heers.on.ca# ping 10.0.2.9
PING 10.0.2.9 (10.0.2.9): 56 data bytes
^C
--- 10.0.2.9 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
waterloo.heers.on.ca# exit
waterloo.heers.on.ca# netstat -p ipsec
ipsec:
6913 inbound packets processed successfully
34 inbound packets violated process security policy
0 inbound packets with no SA available
0 invalid inbound packets
0 inbound packets failed due to insufficient memory
0 inbound packets failed getting SPI
0 inbound packets failed on AH replay check
0 inbound packets failed on ESP replay check
0 inbound packets considered authentic
0 inbound packets failed on authentication
ESP input histogram:
simple: 6913
8575 outbound packets processed successfully
0 outbound packets violated process security policy
0 outbound packets with no SA available
0 invalid outbound packets
0 outbound packets failed due to insufficient memory
0 outbound packets with no route
ESP output histogram:
simple: 8575
waterloo.heers.on.ca# setkey -D
10.0.2.0/26[any] 10.0.2.128/28[any] any
in ipsec
esp/tunnel/209.167.75.124-209.167.75.123/require
spid=5 seq=1 pid=3802
refcnt=1
10.0.2.128/28[any] 10.0.2.0/26[any] any
out ipsec
esp/tunnel/209.167.75.123-209.167.75.124/require
spid=6 seq=0 pid=3802
refcnt=1
waterloo.heers.on.ca# setkey -DP
209.167.75.123 209.167.75.124
esp mode=any spi=1001(0x000003e9) reqid=0(0x00000000)
E: null
replay=0 flags=0x00000040 state=mature seq=1 pid=3803
created: Sep 4 18:04:50 2001 current: Sep 6 17:09:55 2001
diff: 169505(s) hard: 0(s) soft: 0(s)
last: Sep 6 17:08:14 2001 hard: 0(s) soft: 0(s)
current: 986988(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 13608 hard: 0 soft: 0
refcnt=2
209.167.75.124 209.167.75.123
esp mode=any spi=1000(0x000003e8) reqid=0(0x00000000)
E: null
replay=0 flags=0x00000040 state=mature seq=0 pid=3803
created: Sep 4 18:04:50 2001 current: Sep 6 17:09:55 2001
diff: 169505(s) hard: 0(s) soft: 0(s)
last: Sep 6 17:08:14 2001 hard: 0(s) soft: 0(s)
current: 2078652(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 10772 hard: 0 soft: 0
refcnt=1
