Ipsec tunnel up, but no ping possible

asl · July 27, 2017, 10:42am

NethServer Version: NethServer release 7.3.1611 (Final)

I have set up a tunnel, but I can’t ping the other tunnel end (from any side). I’m not sure what is missing here. See the main config:

I have played around with different rules, but nothing:

and the routing table:

Is a GW missing for 10.140.1.0 in routing table?
There is no log info in /var/log/firewall.log about packages dropped for these relevant IPs!
my FW on the other end of the tunnel does show outgoing traffic over the tunnel if I ping from 10.140.1.0 network, but no response

Pls help to identify this issue! Thanks!

pike · July 27, 2017, 2:34pm

I have no firewall rules, but both endpoints of VPN (NethServer and Zyxel USG20) can ping.

The other endpoint’s rules allow communications?

asl · July 27, 2017, 2:57pm

My other endpoint is a draytek vigor 2620 FW with several other VPN lines active. So I’m sure it should work. Usually when you set up a tunnel you don’t need any FW rules to make a ping happen to just the FW IP itself - as you said.

Can you see a GW for your remote network when you list your routes on NS?

pike · July 27, 2017, 3:08pm

The highligted one is the remote network of Ipsec tunnel.
enp4s5 is red (one network adapter) enp3s0 is green, enp2s0 is blue.

Quite strange your eth adapters are labelled in that way…

asl · July 27, 2017, 3:17pm

Thanks for you fast reply. Looks like you don’t have eth adapters at all. This I have seen before on other machines when a specific HW is used. Mine is running under proxmox - so eth.

Anyway it looks the same. Your default GW is enp4s5 = your external interface = red zone. Same on mine (eth0).

pike · July 27, 2017, 3:24pm

It’s a way for label network adapter known as “Predictable Network Interface Device Names”

asl · July 27, 2017, 3:52pm

Question: Wich side starts the tunnel? Your NS7 or other endpoint. For me it is NS7, other way around I had problems - could not make it running.

pike · July 27, 2017, 3:53pm

NS7 always starts tunnels, these cannot be configured differently at this time.

asl · July 27, 2017, 5:10pm

I now could solve my problem:
Setting ‘enabled compression’ in ipsec configuration on NS7 made the data stop flowing, even the tunnel came up without problems.

Thanks for your help - your input was great to verify, that my settings made sense - at least most of them

pike · July 27, 2017, 5:17pm

As other settings, compression has to be enabled on both sides of the tunnel.
And this lead me to a question: @dev_team is correct that the tunnel seems connected if compression setting do not match on both sides?

asl · July 27, 2017, 5:42pm

The vigor draytek 2960 does not have specific settings for compression on ipsec! I was surprised that the tunnel could be built then.

Francenildo · March 3, 2018, 11:30pm

Ipsec tunnel up, but no ping possible, I have this same problem.

Francenildo · March 4, 2018, 12:15am

Solved.

I solved my problem by restarting both firewalls. After that everything worked.