From: "MLU " <[EMAIL PROTECTED]> > I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). > > The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. > > Lynn mentioned that "But more likely, the route to the correct local subnet on each machine is missing" . How can I detect that and how to fix it.
Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. From: "Jonathan French" <[EMAIL PROTECTED]> > I'm having similar problems, and have found this thread helpful. I've > been wondering, do we have to declare the routing on the gateways, or > shouldn't ipsec handle this? FreeS/WAN handles setting up routes for the VPN link (ie traffic to the far end of the VPN gets routed to ipsec0), but you still have to setup basic networking (including routing) on the VPN gateway, as well as duplicate some routing information in FreeS/WAN's configuration file (due to limitations with the 2.0 series kerenl, initial versions of FreeS/WAN were unable to use the kernel's routing information, so this had to be duplicated in the FreeS/WAN configs...this will be fixed in the next major re-write of KLIPS, the kernel IPSec code). > Also, what if the ipsec router is not the > default gateway for a machine that you are trying to ping from > elsewhere? Do the pings try to return through the wrong router? If the VPN gateway is *NOT* the default router for the subnet, EACH AND EVERY HOST that wants to talk to the remote end of the VPN needs a static route directing those packets to the VPN gateway. Your life will be *MUCH* easier if the VPN gateway is also the default gateway for your subnet. If you are required to use an alternate firewall for some reason, you may find a "series" configuration might work better than trying to parallel the VPN gateway and your existing firewall, ie: internet | firewall | VPN Gateway | internal network Rather than: internet | +----------\ | | firewall VPN Gateway | | +----------/ | internal network If your firewall is "fancy" enough, you may also be able to setup something like: internet | firewall --- VPN Gateway | internal network Where you add a static route to the firewall (forwarding internal network -> VPN traffic to the VPN gateway), and port-forward, NAT, or otherwise route inbound IPSec traffic to the VPN gateway box, as well. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
