Loading the ip_masq_ipsec module was something I did last becuase I felt that I had tried almost everything. Even if I don't load ip_masq_ipsec I still can't ping from subnet to subnet with this setup. Is there some other things I can try to get this working?
This is what I have done: 1) Innstalled Dachsten CD 1.02 on two machines and use them as firewalls with great success 2) I am loading ipsec.lrp (and mawk and ifconfig) 3) I have opened up both firewalls with EXTERN_UDP_PORTS="0/0_500" and EXTERN_PROTO0="50 0/0" 4) Configured ipsec.secrets and ipsec.conf on both machines 5) Restarted ipsec and then got a message about "rp_filter set to 1 should be 0". I set rp_filter manually (echo "0" > /some path to /rp_filter) and then restarted and got no errors 6) The tunnel is established with 'ipsec auto --up my_name' and 'ipsec look' looks OK on both machines Many thanks for your help. Cheers, Rein Inge ----- Original Message ----- From: "Charles Steinkuehler" <[EMAIL PROTECTED]> > !!! WARNING !!! Danger Will Robinson! > > It looks like you're running IPSec *AND* loading the ip_masq_ipsec kernel > module. I don't even know how this is possible, but it's definately > *WRONG*. You need to make sure you're using a kernel with KLIPS (IPSec in > the kernel name on my website). The default CD-ROM kernel contains IPSec, > but the default floppy kernel doesn't. Do *NOT* load the ipsec masquerading > module...KLIPS (firewall=VPN Gateway) and ipsec masquerading (ipsec client > on an internal system) are incompatible. > > Confusing, but saddly, it's the current state of affairs. Note this also > means you cannot use the firewall as a VPN gateway while masquerading > internal IPSec clients...the funtions are mutually exclusive. > > Otherwise, your config looks to be OK... > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > ----- Original Message ----- > From: "Rein Inge Hoff" <[EMAIL PROTECTED]> > > # ipsec look > firewall Wed Feb 28 14:43:44 UTC 2001 > 192.168.1.0/24 -> 192.168.0.0/24 => [EMAIL PROTECTED] > [EMAIL PROTECTED] (0) > ipsec0->eth0 mtu=16260(1500)->1500 > > ------------- > > # lsmod | grep ipsec > ip_masq_ipsec 7328 0 (unused) > > > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
