When I run the command ipsec auto status i get the following output:
......
172.16.255.1/32===104.131.13.155<104.131.13.155>:17/1701...41.203.65.124<41.203. 65.124>===10.100.108.51/32; erouted; eroute owner: #13
.......
000 #13: "globacom-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2243s; newest IPSEC; eroute owner; isakmp#10; idle; import:admin initiate
000 #13: "globacom-vpn" esp.e5adc724@41.203.65.124 esp.7b33a369@104.131.13.155 tun.0@41.203.65.124 tun.0@104.131.13.155 ref=0 refhim=4294901761
000 #10: "globacom-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 79407s; newest ISAKMP; lastdpd=10s(seq in:15699 out:0); idle; import:admin initiate
000
service ipsec status
IPsec running - pluto pid: 14150
pluto pid 14150
1 tunnels up
some eroutes exist
ip xfrm policy
src 172.16.255.1/32 dst 10.100.108.51/32 proto udp sport 1701
dir out priority 2080
tmpl src 104.131.13.155 dst 41.203.65.124
proto esp reqid 16405 mode tunnel
src 10.100.108.51/32 dst 172.16.255.1/32 proto udp dport 1701
dir fwd priority 2080
tmpl src 41.203.65.124 dst 104.131.13.155
proto esp reqid 16405 mode tunnel
src 10.100.108.51/32 dst 172.16.255.1/32 proto udp dport 1701
dir in priority 2080
tmpl src 41.203.65.124 dst 104.131.13.155
proto esp reqid 16405 mode tunnel
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
ping 10.100.108.51
PING 10.100.108.51 (10.100.108.51) 56(84) bytes of data.
From 104.131.13.155 icmp_seq=1 Destination Host Unreachable
From 104.131.13.155 icmp_seq=2 Destination Host Unreachable
From 104.131.13.155 icmp_seq=3 Destination Host Unreachable
What am I doing wrong?
Best Answer
Finally fixed this issue.
Here's what I did:
In the ipsec.conf file, I had to comment out the leftprotoport which was set to
This essentially limits the vpn connection to L2TP using UDP port 1701. Checking ip xfrm policy shows that the source and dest ports were set to 1701. This means I could not send any traffic via TCP. The only traffic allowed was from UDP port 1701.
I noticed there were some udp checksum errors when i ran a tcpdump on eth0. Apparently this was a result of debian set to use Hardware TCP/UDP checksum offloading. The following commands disabled it.
Now when I run a traceroute to the remote host/network I see only one hop as against 11 when the wrong ipsec policy was configured. I also see ESP(spi=0XXXX, seq=xxxx) packets as part of the output from tcpdump to the remote host while sending traffic in the form of a ping/telnet.