-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
R.M. Evers wrote: | hello, | | i'm having some problems implementing a vpn configuration, and i'm | hoping you guys could help me out here. we are hosting a debian sarge | server for one of our customers, and they need to communicate with this | server over the internet securely. to accomplish this, i want to create | a vpn between the debian server and their network. for my test setup, | this is what i did: | | on the left side of the vpn (debian sarge server): | | - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack and | crypto modules | - installed freeswan and ipsec-tools | - this server has two NIC's: | * eth0 is connected to the internet, and has an external IP, let's | say 1.2.3.4. | * eth1 is _not_ connected, but i assigned an internal IP to it: | 172.27.27.1. | - setup iptables to accept the esp packets and IKE messages (udp/500) | from the right side (9.8.7.6). | - configured freeswan for the vpn: | -- | conn foo-bar | left=1.2.3.4 | leftsubnet=172.27.27.0/24 | leftnexthop=1.2.3.1 | right=9.8.7.6 | rightsubnet=192.168.1.0/24 | authby=secret | auto=start | -- | | on the right side i set up a simple test network behind a netscreen | appliance (9.8.7.6) and configured the vpn. | | now, i can start the vpn and it works when i try to connect from right | to left (let's say, from 192.168.1.33 to 172.27.27.1). tcpdump shows me | esp packets, and everything works fine.
Does tcpdump show out-going and returning packets?
| | now here's the problem: i cannot connect from left to right (i.e., from | the debian server to a machine inside the right network). when i follow | the tcpdump when i nmap a machine in the right network (192.168.1.33), i | can see packets going from 1.2.3.4 to 192.168.1.33. so it's not | travelling the vpn and i don't have a clue why. i'm kind of a n00b at | this stuff, so i was amazed i actually got this far. but does anyone | know what i have to do to have a fully functional bidirectional vpn? or | is my setup just, well, plain stupid?? :-) it must be noted that in the | future it is likely that more parties will have to connect to this | server via an extra vpn. |
Depending on the answer above, if you are not seeing returning packets, check netstat -rn on the left server and check the routing table shows the left-side subnet and that they are being routed through the correct interface.
hth
Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCOZG162r58u1gKlkRAtHXAKCfGONtb+rQAK0KXbQ2xLhXPeIK2ACgqdu+ PlI5flPuNf1vKDAj2RKid4c= =XVAF -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
