| Subject: | Re: pbs with cipe 2.2.14 <--> 2.4.4ac5 |
| From: | ewheeler,AT,kaico,DOT,com |
| Date: | Wed, 20 Jun 2001 01:55:40 +0200 |
| In-reply-to: | <3B2F055C.3070203@freealter.com> |
Ludovic -- First, do this: iptables -L -n 2>&1 1>> iptables.out iptables -L -n -t nat 2>&1 1>> iptables.nat.out ipchains -L -n 2>&1 1>> ipchains.out Email me the content of those thre files (iptables.out, iptables.nat.out, and ipchains.out). You will also need the content of these to resurect your firewall rules. Next, do this: iptables -F iptables -t nat -F ipchains -F Do this on both systems and ignore whatever errors are given. This will flush all firewalling rules and MASQ/SNAT/DNAT settings. The side effect of this is that if you are using either linux box to handle MASQ/NAT the workstations on the lan won't get out until you setup the NAT stuff again. The reason I suggest doing this is because of the size of the source port. Generally source ports are somewhere between 1024 and 5000; not all the way to 45737. This means that someone somewhere is probably mangling the source port of the packet which NAT and MASQ can and may do. Once you've flushed ipchains (for the 2.2.x kernel) and iptables (for the 2.4.x kernel) try your connections again. ~hopefully~ all will work right. If it works fine with the tables flushed, but not with what you have in them, you may need to insert some additional firewalling rules to fix the problem. If this is the issue, I can help you with the appropriate iptables/chains rules to make everything work right! --Eric On Tue, 19 Jun 2001, Ludovic Drolez wrote: > Hi ! > > I'm currently trying to use cipe 1.5.2. I had no problems with > compilation on a 2.4.4ac5 kernel, but, I have very strange problems on > the 2.4.4 box: > - the 1st ping through the vpn is ok > - following pings do not return > - a that moment I get this in /var/log/messages: > > Jun 18 18:13:53 amos kernel: cipcb0: cipe_sendmsg > Jun 18 18:13:53 amos kernel: cipcb0: setkey > Jun 18 18:13:53 amos kernel: cipcb0: cipe_recvmsg > Jun 18 18:13:53 amos kernel: cipcb0: setkey > Jun 18 18:13:53 amos kernel: cipcb0: cipe_sendmsg > Jun 18 18:13:53 amos kernel: cipcb0: cipe_recvmsg > Jun 18 18:13:53 amos kernel: cipcb0: setkey > Jun 18 18:13:53 amos kernel: cipcb0: cipe_recvmsg > Jun 18 18:13:54 amos kernel: nf_hook: hook 4 already set. > Jun 18 18:13:54 amos kernel: skb: pf=2 (owned) dev=ppp0 len=132 > Jun 18 18:13:54 amos kernel: PROTO=17 193.253.209.63:45737 62.x.x.x:2001 >L=132 S=0x00 I=9398 F=0x4000 T=64 > Jun 18 18:13:55 amos kernel: nf_hook: hook 4 already set. > Jun 18 18:13:55 amos kernel: skb: pf=2 (owned) dev=ppp0 len=132 > Jun 18 18:13:55 amos kernel: PROTO=17 193.253.209.63:45737 62.x.x.x:2001 >L=132 S=0x00 I=9399 F=0x4000 T=64 > ... > ... > - I wait 1 minute and then , I can do 1 ping ! > > It seems that there are some bugs in the iptables code of 2.4.x, as 'ppp0' >is in > the logs, even though the packets go through 'cipcb0'. > Is there some vpn software that works with 2.4.4 (I tried vpnd, and >Frees/wan does not support 2.4.x) ? > Any clue ? > > TIA, > > Ludovic Drolez. > > > > > -- > Message sent by the cipe-l,AT,inka,DOT,de mailing list. > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body > Other commands available with "help" in body to the same address. > CIPE info and list archive: ><URL:http://sites.inka.de/~bigred/devel/cipe.html> >