Charles Steinkuehler wrote: > > Michael D. Schleif wrote: > > For futher information, please, let me know and I will be as verbose as > > necessary on a separate webpage. Let's hope that I remember to publish > > the final solution exhaustively to the list ;> > > It would be nice to see the complete firewall rule dump from both > machines, although in your test network you could simply flush all > firewall rules on bluetrout (the Cisco "emulator"), if it's not hooked > to the internet.
It is a live internet DCD . . . > Regardless, the firewall rules on pinktrout are a > "Must see", especially given the log errors. Simply ipchains -nvL ??? > The complete output of "ip addr" and "ip route" from *BOTH* systems > would also be very helpful. ip route is complete in last post; ip addr will go on the webpage, too . . . <snip /> > > [4] Neither side can ping anything on the other side. > > Hmm...probably due to the dropped protocol 50 packets on pinktrout (item > [7], below). <snip /> > > [6] udp port 500 & protocols 50 & 51: > > > > root@bluetrout:/root > > # ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)' > > 1 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 >n/a > > 2 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 >n/a > > 3 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 >n/a > > 4 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 >n/a > > 5 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 >n/a > > 6 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 >n/a > > 7 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 >n/a > > 8 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 >n/a > > 53 62 9756 ACCEPT udp ------ 0xFF 0x00 wan1 0.0.0.0/0 64.4.222.157 * >-> 500 > > > > root@pinktrout:/root > > # ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)' > > 50 26 6156 ACCEPT udp ------ 0xFF 0x00 wan1 0.0.0.0/0 144.228.51.210 * >-> 500 > > I think you need a log accepting protocol 50 traffic on pinktrout... > > > [7] kern.log: > > > > root@pinktrout:/root > > # tail -f /var/log/kern.log > > Nov 12 20:41:18 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 >64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62911 F=0x0000 T=54 (#56) > > Nov 12 20:41:19 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 >64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62913 F=0x0000 T=54 (#56) > > Nov 12 20:41:20 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 >64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62915 F=0x0000 T=54 (#56) > > This is Very Bad... Yes, that is why I posted ;> I thought that protocols 50 & 51 *should* be coming in on ipsec0 ??? Or, is it _proper_ to open that up independent of all interfaces? <snip /> > Conf files look OK. I thought you were going to be using PSK to talk to > the Cisco (you have RSA sig-keys in the conf file), but as long as the > tunnel comes up, you should be OK for testing... I decided to modify a _working_ gw-gw tunnel and assumed, as you apparently concur, that I can ignore psk for now . . . > The main problem I see is the denied IPSec traffic on pinktrout. You > don't mention which machines you tried to ping from/to...remember, > you'll only be able to ping from pinktrout to machines on the > 192.168.1.0/24 net other than bluetrout. I have a special _ip route change_ cli that adds the DCD's to the ipsec0 routing. I tried pinging from both ends. tcpdump saw the pings enter the tunnel; but, nothing came out either tunnel. I did not find any errors logged on bluetrout -- pinktrout complains about protocol 50. > Once you get pinktrout talking to the remote network, you can start > adding masq rules to try and get the networks behind pinktrout talking > to the far end. With any luck, that should just work with the > appropriate masq rule added to the forward rule chain. Actually, I have already added a masq rule. Apparently, if I open up protocol 50 -- properly -- you think that all will fall into place, as I hope? Thanks for your participation . . . -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ------------------------------------------------------- This sf.net email is sponsored by: Are you worried about your web server security? Click here for a FREE Thawte Apache SSL Guide and answer your Apache SSL security needs: http://www.gothawte.com/rd523.html ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
