[sclug] VPN Help Needed
Alex Butcher
lug at assursys.co.uk
Sat Aug 13 13:48:33 UTC 2005
On Sat, 13 Aug 2005, Tom Dawes-Gamble wrote:
> I'm trying to get a VPN Working from IpCop (openSWAN) and a Draytek
> Vigor 2600. According to the IpCop documentation if you can't ping and
> traceroute the remote end forget it. Well I can ping and get a to the
> Web interface on the Draytek but traceroute fails.
>
> If I run traceroute from a server in harbour exchange I end up with
>
> 16 217.41.172.73 (217.41.172.73) 16.215 ms 14.693 ms 20.950 ms
> 17 217.41.216.2 (217.41.216.2) 8.003 ms 10.290 ms 8.670 ms
> 18 217.32.86.6 (217.32.86.6) 6.667 ms 6.731 ms 6.694 ms
> 19 host86-128-210-103.range86-128.btcentralplus.com (86.128.210.103)
> 19.059 ms 18.888 ms 17.850 ms
>
> If I tracetroute from my home sysytem
>
> 12 * * *
> 13 217.41.216.2 (217.41.216.2) 38.330 ms 33.377 ms 36.048 ms
> 14 217.32.86.6 (217.32.86.6) 37.563 ms 35.699 ms 33.375 ms
> 15 * * *
Remember that UNIX traceroute uses UDP packets with monotonically increasing
TTL values, whilst Windows uses ICMP Echo Request packets with the same TTL
trick. UNIX traceroute can emulate Windows' traceroute with the -I flag.
IPSec doesn't use ICMP as the underlying transport, though, so as long as
the important ICMP messages can get through (e.g. destination unreachable,
must fragment) then there's no need to worry. You do need to make sure that
ESP (IP protocol 50) is allowed through, though, as well as 500/udp, though.
That's all the theory, though. I've not had the need to configure an IPSec
VPN myself.
> Tom.
HTH,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 <http://www.assursys.com/>
More information about the Sclug
mailing list