Hi Marsha! On 25 Jun 2001, at 15:57, Marsha Wilson wrote:
> have NO problems. However, whenever I make a connection over @Home I can only > make the tunnel connection. No data is passed. I can't even ping an internal > IP > address. According to my VPN manufacturer it sounds like ports ESP 50 and AH > 51 > are being blocked. I am sure @Home is blocking a port, even though they > thoroughly deny it. I am sure there is a work around but I have no clue what > it > is. F.Y.I. my firewall is an IPSEC/IKE compliant firewall. I know there are some ISP which block for reason ever the ESP protocol. But maybe your server or your opposite client firewalls rules a the reason for the problem, sometimes they forgot the rules for the virtual VPN-interfaces (ipsec0 ...). You can make a simple check with tcpdump on you extern interface to check if ESP is transmitted, eg. gate.bdw:~# tcpdump -i eth1 proto esp tcpdump: listening on eth1 23:57:24.697027 gate.bdw > gate.bdf: ip-proto-50 92 23:57:24.777582 gate.bdf > gate.bdw: ip-proto-50 76 23:57:24.778159 gate.bdw > gate.bdf: ip-proto-50 76 [...] Shows there is ESP-traffic on the interface, so there should be IPSEC payload (if the traffic goes in both directions). If you have no traffic check in a first step if there are no filterrules on your Linux-boxes (ipchains -L) or on your access-routers. If you see ESP-traffic you can check again with tcpdump if there is traffic on your VPN-interface: gate.bdw:~# tcpdump -i ipsec0 tcpdump: listening on ipsec0 00:01:08.620186 nbdf.4180 > nbdw.notes: S 335511813:335511813(0) win 16220 <mss 16220,sackOK,timestamp 807576862[|tcp]> (DF) 00:01:08.620962 nbdw.notes > nbdf.4180: S 41295562:41295562(0) ack 335511814 win 8760 <mss 1460> (DF) 00:01:08.705951 nbdf.4180 > nbdw.notes: . ack 1 win 16220 (DF) 00:01:08.706342 nbdf.4180 > nbdw.notes: F 1:1(0) ack 1 win 16220 (DF) 00:01:08.706906 nbdw.notes > nbdf.4180: . ack 2 win 8760 (DF) [...] Which here shows some Notes-traffic on the VPN. BTW I use FreeS/WAN (www.freeswan.org) for linux based IPSEC VPNs. bye Josef -- BERGMANN engineering & consulting http://bec.at/ Reason, too late perhaps, may convince you of the folly of misspending time. - George Washington
