Adrian Chapela wrote:
Simon Hobson escribió:Adrian Chapela wrote:No go back and read again. The inbound encapsulated packet could not be delivered, therefore a destination unreachable replay was sent back in response. It was not the tunnelled packet that couldn't be delivered, it was the encapsulating packet. More below ...>> Yes, I know... but Why can't I see the icmp packets goin throw thetunnel interface ?? I see a GRE packet-- > 12:56:16.397645 IP 77.209.87.193 > semsor10.local: GREv0, length 88: IP 172.16.1.2 > 172.16.1.1: ICMP echo request, id 63499, seq 151, length 64 This is a encapsuled packet of a ping from 172.16.1.2 to 172.16.1.1 and this is the response: 12:56:16.397802 IP semsor10.local > 77.209.87.193: ICMP semsor10.local protocol 47 port 2048 unreachable, length 116 This is the problem... Why is the eth0 responding an answer to another interface ??It isn't ! interfaces do not "respond to another interface" - they only send packets given them by the protocol stacks above. 77.209.87.193 is not flagged as being at the other end of tunnel0, therefore it is routed via eth0 - and if you look, it is NOT a response to the ping, it is a "destination unreachable" response to the encapsulated packet.Yes, but this "destination unreachable" isn't encapsulated in a GRE packet and it is generating (I think...) on the eth0)This is the encapsulating packet:12:56:16.397645 IP 77.209.87.193 > semsor10.local: GREv0, length 88: IP 172.16.1.2 > 172.16.1.1: ICMP echo request, id 63499, seq 151, length 64This is the response:12:56:16.397802 IP semsor10.local > 77.209.87.193: ICMP semsor10.local protocol 47 port 2048 unreachable, length 116OK, I think I read some wrong... Now, after your explaination I think you are right, the encapsulating packet couldn't be delivered...now the answer is why ??The encapsulting packet is received in eth0, because my router is sending all traffic there... but Why this interface isn't forwarding this packet to the right interface ?I have ip_forward to 1, I don't understand...
Look at your log. I suspect that you haven't defined tunnel0 and the remote subnet properly to Shorewall and that the ping request it getting rejected.
Once again: http://www.shorewall.net/IPIP.htm gives explicit instructions for configuring IPIP and GRE tunnels in Shorewall.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
