phil, thanks for your help. > So the tunnel is up? You can ping from one side to the other? Have a > look at the output of 'ipsec look'. Look at the logs on the left side > server. Is the tunnel really up? You should see entries in > /var/log/auth.log . Look at logs on the netscreen as well.
yes, the tunnel is up. auth.log shows "IPsec SA established" and the netscreen logs show the same. i can only use the vpn from right to left though (behind netscreen -> eth1 ip from debian server). tcpdump clearly shows ESP packets when i do this. 'ipsec look' looks like this: cat: /proc/net/ipsec_spigrp: No such file or directory cat: /proc/net/ipsec_eroute: No such file or directory grep: /proc/net/ipsec_tncfg: No such file or directory sort: open failed: /proc/net/ipsec_spi: No such file or directory Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 1.2.3.1 255.255.255.0 UG 0 0 0 eth0 1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 i believe the errors are because of the fact that i'm using the native linux ipsec stack instead of the kernel-patch-freeswan modules. > Are you trying *from* the vpn server? Try connecting from a machine > that is *behind* the left server. yes, i'm trying *from* the debian server. there is *no* network behind the debian server. i'm only trying to accomplish a vpn from the right network to the debian server so they can connect to each other using internal IP's. that's why i gave the eth1 NIC an internal IP to fake an internal network. eth1 is not connected in any way, so maybe that's the problem.. > your config says send packets from > 172.27.27.0/24 over the tunnel. When you ping from the debian server, > it's using the 1.2.3.4 interface, so it's not going thru the tunnel. You > can tell ping to use the other interface by using 'ping -I eth1 > 192.168.1.x, or connect a box to the eth1 iface and try connecting from > there. ok, when i ping from eth1, i get a "bad interface address 'eth1'" error, probably because eth1 is not connected.. > For freeswan configs, it's pretty normal to use the classic 4 tunnel > approach to cover all connections. thanks, didn't know this approach. but i don't think it will help in this case, since there is no 'real' left subnet :-) > Setting up multiple tunnels with [free|openswan] is no biggie once you > get it working. I've got a single server with 45-50 tunnels running and > it doesn't break a sweat. With multiple tunnels I suggest looking at > using certificates or RSA keys for the connections. Easier than setting > up individual secrets and really necessary for connecting endpoints with > dynamic ip's. > - -- > > /phil thanks for the tips! if you can think of anything that might help, or maybe a configuration that better suits my needs, please let me know. regards, -rodi. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
