I have what I thought would be an easy problem to figure out but is not, well for me anyways. I'm hoping someone will be in a kind and generous frame of mind so as to point out the error of my ways! To begin, I am using Leaf 1.2 in an attempt to evaluate it's ipsec performance in no more than a firewall/vpn sort of role. I have no problems setting it up, making it work and establishing a connection. the problem manifests itself when I attempt to ping anything on either subnet - all I can see are the nics on the Bering machines themselves, nothing beyond.
Subnet Local Net Gateway Gateway Net Local Subnet 192.168.0.0/24<>192.168.0.25<>142.59.65.140<>142.59.64.1<>THE INTERNET<>216.123.215.81<>216.123.215.94<>192.168.2.4<>192.168.2.0/24
Please excuse the crudity of my above network topology layout where the ip addresses have not been concealed to protect the innocent. To better explain, if I am tring to ping from a machine on the 192.168.2.0/24 subnet to another machine on the 192.168.0.0/24 subnet as far as I can get is to 192.168.0.25 address on the leaf box, if I try vice versa I can only go as far as 192.168.2.4. I am unsure what information would best assist you in determining where my problem lies, what I am hoping is that as this is being read someone, somewhere is smirking and already knows why. In the event that I have actually found a bona fida tear jerker (hah!) I will send along some stuff.
I made the follow alterations to the shorewall configuration from what it came with 'out of the box':
zones file: vpn VPN Remote Subnet
policy file:
loc vpn ACCEPT vpn loc ACCEPT
tunnels file: ipsec net 216.123.215.94 on one machine and 142.59.65.140 on the other, I have also tried 0.0.0.0/0 for both
I strongly suspect your firewall rules. It looks like your IPSec tunnel is coming up OK, which means the two endpoints can excahnge UDP port 500 traffic.
For acutal data to flow through the VPN, the ends also have to be able to exchange ESP/AH traffic (protocol 50/51), and you have to allow forwarding between the two networks.
I'm not familiar with how to cleanly set this up with Shorewall, but Tom has excellent online documentation, and maybe some of the Shorewall users here will chime-in.
Based on a quick review of the ShorewallIPSec docs (since Tom's not answering Shorewall mail durring business hours anymore): http://www.shorewall.net/IPSEC.htm
...it looks like you might have missed assigning the ipsec0 interface to the VPN zone in /etc/shorewall/interfaces.
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
