Ipsec tunnel up, but no ping possible

ipsec
v7

(Andreas Schloegl) #1

NethServer Version: NethServer release 7.3.1611 (Final)

I have set up a tunnel, but I can’t ping the other tunnel end (from any side). I’m not sure what is missing here. See the main config:

I have played around with different rules, but nothing:

and the routing table:

  • Is a GW missing for 10.140.1.0 in routing table?
  • There is no log info in /var/log/firewall.log about packages dropped for these relevant IPs!
  • my FW on the other end of the tunnel does show outgoing traffic over the tunnel if I ping from 10.140.1.0 network, but no response

Pls help to identify this issue! Thanks!


(Michael Kicks) #2

I have no firewall rules, but both endpoints of VPN (NethServer and Zyxel USG20) can ping.

The other endpoint’s rules allow communications?


(Andreas Schloegl) #3

My other endpoint is a draytek vigor 2620 FW with several other VPN lines active. So I’m sure it should work. Usually when you set up a tunnel you don’t need any FW rules to make a ping happen to just the FW IP itself - as you said.

Can you see a GW for your remote network when you list your routes on NS?


(Michael Kicks) #4

The highligted one is the remote network of Ipsec tunnel.
enp4s5 is red (one network adapter) enp3s0 is green, enp2s0 is blue.

Quite strange your eth adapters are labelled in that way…


(Andreas Schloegl) #5

Thanks for you fast reply. Looks like you don’t have eth adapters at all. This I have seen before on other machines when a specific HW is used. Mine is running under proxmox - so eth.

Anyway it looks the same. Your default GW is enp4s5 = your external interface = red zone. Same on mine (eth0).


(Michael Kicks) #6

It’s a way for label network adapter known as “Predictable Network Interface Device Names”


(Andreas Schloegl) #7

Question: Wich side starts the tunnel? Your NS7 or other endpoint. For me it is NS7, other way around I had problems - could not make it running.


(Michael Kicks) #8

NS7 always starts tunnels, these cannot be configured differently at this time.


(Andreas Schloegl) #9

I now could solve my problem:
Setting ‘enabled compression’ in ipsec configuration on NS7 made the data stop flowing, even the tunnel came up without problems.

Thanks for your help - your input was great to verify, that my settings made sense - at least most of them :slight_smile:


(Michael Kicks) #10

As other settings, compression has to be enabled on both sides of the tunnel.
And this lead me to a question: @dev_team is correct that the tunnel seems connected if compression setting do not match on both sides?


(Andreas Schloegl) #11

The vigor draytek 2960 does not have specific settings for compression on ipsec! I was surprised that the tunnel could be built then.


(Francenildo) #12

Ipsec tunnel up, but no ping possible, I have this same problem.


(Francenildo) #13

Solved.

I solved my problem by restarting both firewalls. After that everything worked.