Hey all, Disregard the last message - the setup works. I was trying to ping from an ssh session to the router. That still doesn't work - but I can ping from all other hosts on my subnet to the other subnet and vice versa. Does anybody know why I wouldn't be able to ping from the router to the other subnet?
Simon >From: "Simon Bolduc" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [Leaf-user] VPN between 2 dachstein boxes with Seawall >Date: Tue, 16 Oct 2001 18:27:20 -0400 > >Hey all I'm having some difficulty setting up a VPN between 2 LRP boxes. >They are both running Dachstein RC1 with the patched kernel, IPSec 1.5 and >Seawall. Here's a quick lil diagram of the network layout (sorry if its >not >very good but it should convey the necessary info). > > >|-----------------| >| 192.168.2.0/24 |-> 24.156.190.xxx -> 24.156.190.1 -> Internet >|-----------------| eth0 gateway | > V > P > N >|-----------------| | >| 192.168.1.0/24 |-> 24.42.252.xxx -> 24.42.252.140 -> Internet >|-----------------| eth0 gateway > >if at all possible I'd like to set up a VPN between these 2 subnets, and I >think I've configured it properly but I still can't ping hosts on either. > >At boot up I can run ipsec manual --up simon_andrew and it doesn't >generate >any errors and the routing table looks okay: > >Kernel IP routing table >Destination Gateway Genmask Flags Metric Ref Use >Iface >192.168.2.0 * 255.255.255.0 U 0 0 0 >eth1 >192.168.1.0 24.156.190.1 255.255.255.0 UG 0 0 0 >ipsec0 >24.156.190.0 * 255.255.254.0 U 0 0 0 >eth0 >24.156.190.0 * 255.255.254.0 U 0 0 0 >ipsec0 >default 24.156.190.1 0.0.0.0 UG 0 0 0 >eth0 > > > >The routing table looks fine on the other box as well. The proper ports >are >open (UDP 500, proto's 50 & 51) on both ends. I'm wondering if it has >something to do with my config or if this kind of setup is not possible. > >ipsec.conf: > ><snip> > ># basic configuration >config setup > # THIS SETTING MUST BE CORRECT or almost nothing will work; > # %defaultroute is okay for most simple cases. > interfaces="ipsec0=eth0" > # Debug-logging controls: "none" for (almost) none, "all" for >lots. > klipsdebug=all > plutodebug=all > # Use auto= parameters in conn descriptions to control startup >actions. > plutoload=%search > plutostart=%search > > > ># defaults for subsequent connection descriptions >conn %default > # How persistent to be in (re)keying negotiations (0 means very). > keyingtries=0 > # Parameters for manual-keying testing (DON'T USE OPERATIONALLY). > # Note: only one test connection at a time can use these >parameters! > spi=0x200 > esp=3des-md5-96 > espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0 > espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf > # If RSA authentication is used, get keys from DNS. > leftrsasigkey=%dns > rightrsasigkey=%dns > > > ># sample connection >conn simon_andrew > # Left security gateway, subnet behind it, next hop toward right. > left=24.156.190.xxx > leftsubnet=192.168.2.0/24 > leftnexthop=24.156.190.1 > leftfirewall=yes > # Right security gateway, subnet behind it, next hop toward left. > right=24.42.252.xxx > rightsubnet=192.168.1.0/24 > rightnexthop=24.252.140.129 > rightfirewall=yes > # Authorize this connection, but don't actually start it, at >startup. > auto=add > # To use RSA authentication (not legal in US until 20 Sept 2000), > # uncomment this next line. > #authby=rsasig > > >Any and all help would be greatly appreciated. > >Simon > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > >_______________________________________________ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
