IPSec endpoints won't talk to each other

[Hugo Osvaldo Barrera]

Hi,

I've been experimenting a bit with IPSec and creating a VPN using it. I've
been successful, but have encountered an odd issue.

I've two hosts, linking two networks:

Host A's /etc/iked.conf:
ikev2 active esp from 172.16.0.0/16 to 172.17.0.0/16 \
  peer 174.136.104.18 psk "a-test-key"

Host B's /etc/iked.conf:
ikev2 esp from 172.17.0.0/16 to 172.16.0.0/16 \
  peer 190.210.108.249 psk "a-test-key"

(Of course those are not the real keys).

I can ssh 172.17.0.1 from the 172.16.0.0 network fine and viceversa.

So far so good.

BUT I can't establish any TCP connection from Host A to Host B's public
IP address and viceversa.

On Host A:
Browing to Host B's public IP (174.136.104.18) -> timeout
SSH into Host B's public IP -> timeout
Ping Host B -> WORKS FINE!

The same applies from Host B to Host A's public IP.
I can use the tunneled IPs fine, but I'm extremely confused.

On Host B:

$ route show | tail -n 4
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
172.17/16          0     172.16/16          0     0     elysion/esp/use/in
172.16/16          0     172.17/16          0     0
elysion/esp/require/out
default            0     default            0     0     none/esp/deny/out

Nothing out of the ordinary here.

$ traceroute 174.136.104.18
traceroute to 174.136.104.18 (174.136.104.18), 64 hops max, 40 byte packets
 1  customer-static-210-108-250.iplannetworks.net (190.210.108.250)  8.591 ms
10.107 ms  7.692 ms
 2  190.210.123.62 (190.210.123.62)  6.183 ms *  6.718 ms
 3  customer-static-210-110-122.iplannetworks.net (190.210.110.122)  8.996 ms
7.389 ms  7.337 ms
 4  customer-static-210-110-49.iplannetworks.net (190.210.110.49)  6.671 ms
8.518 ms  6.204 ms
 5  * customer-static-210-110-66.iplannetworks.net (190.210.110.66)  23.352 ms
10.508 ms
 6  TenGigabitEthernet8-3.ar1.EZE1.gblx.net (64.208.7.69)  30.538 ms  30.391
ms  61.912 ms
 7  po6-50G.ar4.LAX1.gblx.net (67.16.129.202)  205.788 ms  177.384 ms  189.306
ms
 8  PCCW-GLOBAL-INC.TenGigabitEthernet8-1.1200.ar4.LAX1.gblx.net
(64.211.83.226)  195.701 ms  202.521 ms  196.462 ms
 9  63-218-212-14.static.pccwglobal.net (63.218.212.14)  206.704 ms  197.595
ms  194.974 ms
10  cxa.r6.lax2.trit.net (208.75.88.19)  201.47 ms  211.301 ms  208.998 ms
11  arpnetworks-lax2-gw.cust.trit.net (208.90.34.74)  214.97 ms  254.919 ms
244.190 ms
12  elysion (174.136.104.18)  202.300 ms  198.401 ms  261.721 ms

Much like ping, traceroute works fine, which confuses me even further.

I'm probably missing something - but what?

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]