I'm sure this is familiar to some of you - we establish IPSec tunnels with various clients, and often have only limited visibility into what their configurations are.
The issue I am experiencing right now is this - we are establishing the tunnel from our CentOS host, which is behind an IPtables firewall with a static NAT. I can bring up the tunnel and it starts as expected, ipsec auto --status looks good and the other side also sees that it is established. I can send a ping to the remote host and a tcpdump on the firewall shows the packets going out, but I never see any replies. So far, in my experience, this has always turned out to be some sort of rule on the far side which is dropping my packets.
The wrinkle here is that the other side claims to be seeing the same thing as I am - they start a ping flood, and say they are seeing the packets go out, but I never see them.
Does anyone have any commands that they use in these types of situation for verifying that everything on my side is working as expected? I'm 99% sure it's not my side, since it's really a pretty simple setup and we have numerous other tunnels on the same box, but you never know.
Thanks for any advice!
No comments:
Post a Comment