Thread: connect to an other site using ipsec-nat
View Single Post
  #23   (View Single Post)  
Old 22nd September 2009
wesley wesley is offline
Real Name: Wesley
Shell Scout
  
Join Date: Aug 2009
Location: Reunion Island
Posts: 92
Default no_traffic:single ??
Hello,

VPN is mounted but there's no traffic.
For recall :
Code:
Factory ip : 22.22.22.22 
factory lan : 10.0.0.0/8 --> biNAT--> 192.168.191.0
Our ip : 11.11.11.11
Our lan : 10.0.0.0/24 --> biNAT --> 192.168.192.0
our ftp : 10.0.0.115 --> biNAT --> 192.168.192.115
our OpenBSD Firewal : 10.0.0.113 (ftpproxy) -->biNAT--> 192.168.192.113
In /var/log/daemon and messages, there's no error, so i think that the error comes from my pf.conf file.

You will find my pf.conf and ipsec.conf files attached.

pfctl -s states ::
Code:
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1311       ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1311 -> 10.0.0.114:25       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1316       ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1316 -> 10.0.0.114:25       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.100.193:1320       ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1320 -> 10.0.0.114:110       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1328       ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1328 -> 10.0.0.114:25       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.99.118:2600       FIN_WAIT_2:FIN_WAIT_2
all tcp 193.253.99.118:2600 -> 10.0.0.114:110       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.99.118:2979       FIN_WAIT_2:FIN_WAIT_2
all tcp 193.253.99.118:2979 -> 10.0.0.114:110       FIN_WAIT_2:FIN_WAIT_2
all esp 11.11.11.11 <- 22.22.22.22       NO_TRAFFIC:SINGLE
tcpdump -nettti pflog0 ::
Code:
Sep 22 09:10:15.348127 rule 0/(match) block in on bge0: 192.168.0.13.138 > 192.168.0.255.138: udp 201
Sep 22 09:10:16.268114 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:16.270094 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:19.442729 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:19.442782 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:21.744797 rule 0/(match) block in on bge0: 10.0.0.114.138 > 10.0.0.255.138: udp 204
Sep 22 09:10:26.004802 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:26.004856 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:55.980627 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:55.987199 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.055641 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.132420 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.177171 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.347699 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:11:00.759127 rule 0/(match) block in on bge0: 192.168.0.92.138 > 192.168.0.255.138: udp 201
Sep 22 09:11:09.724487 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:09.724542 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:11.743450 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:12.925128 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:12.927137 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:13.743026 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:13.743317 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:15.742900 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:15.743629 rule 0/(match) block in on bge0: 10.0.0.115.138 > 10.0.0.255.138: udp 183 (DF)
Sep 22 09:11:19.487204 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:19.489208 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:02.397661 rule 0/(match) block out on rl0: 192.168.191.254.20978 > 192.168.192.113.21: S 313707294:313707294(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:02.399746 rule 0/(match) block out on rl0: 192.168.191.254.21081 > 192.168.192.115.21: S 32318798:32318798(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:05.642545 rule 0/(match) block out on rl0: 192.168.191.254.20978 > 192.168.192.113.21: S 313707294:313707294(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:05.644562 rule 0/(match) block out on rl0: 192.168.191.254.21081 > 192.168.192.115.21: S 32318798:32318798(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
tcpdump -i enc0 ::
Code:
09:04:06.296541 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:06.296601 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:09.541372 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:09.543372 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:16.103470 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:16.103526 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:59.771111 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:59.772896 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:03.025847 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:03.025899 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:09.587923 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:09.587980 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:52.420076 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:52.420132 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:55.632782 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:55.634783 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:02.196911 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:02.196973 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:45.908543 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:45.908595 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.10421 > 192.168.192.115.ftp: S 1560911767:1560911767(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:49.117237 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:49.119247 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.10421 > 192.168.192.115.ftp: S 1560911767:1560911767(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:55.679310 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
If someone can help me please ...
Attached Files
File Type: conf pf.conf (1.3 KB, 65 views)
File Type: conf ipsec.conf (203 Bytes, 66 views)
Last edited by Carpetsmoker; 22nd September 2009 at 09:32 AM. Reason: Add [code] tags
Reply With Quote