Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Emmanuel Andry

Pages: [1]
1
Troubleshooting / Peer Status Down with IPsec
« on: February 03, 2016, 10:08:22 AM »
Hi there,

I've 2 sites connected via IPsec through 2 arkoon firewalls
On the main site, the Wanos and the arkoon firewall are vmware appliances.

LAN1 --> WANOS(virt) --> ArkoonFW(virt) <---------IPSEC Tunnel--------> Arkoon <-- Wanos <-- Lan2

The fact is the traffic between LANs works, QoS works, but the 2 appliances (IP 192.168.1.253 and 192.168.2.254) just don't communicate with each other.
I can ping and ssh from each peer to each other, everything works... But the encapsulation (tried both ipccomp and udp).

Example of tcpdump from the main one :
# tcpdump -i wan0 |grep IPComp
tcpdump: WARNING: wan0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wan0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:45:52.009448 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:45:52.901770 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc800)
10:45:57.009477 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:02.009487 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:04.866376 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc800)
10:46:07.009489 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:12.009502 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:32.009580 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:37.009598 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:42.009612 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:47.009631 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:52.009726 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:02.009771 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:07.009787 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:12.009809 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:17.177163 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:22.177053 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:27.177077 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
...

It seems that the IPComp packets are sent to the other peer, but no track of it on the Arkoon firewall 192.168.1.254 (tcpdump is quiet on the arkoon)

Looks like the peer knows the gateway, except when relaying encapsulation...

My logs seems fine, I don't really know where to look to fix it...

Help really needed !




Pages: [1]