Sorry for the delay, but I wanted to write and let others (and future searchers) know what the resolution to this problem was:
> Timothy J. Massey wrote:
> > Hello!
> >
> > I'm using a Dachstein firewall with FreeS/WAN 1.91. I would like to set
> > up an IPsec VPN with either a Linksys BEFVP41 router, or a Windows 2000
> > computer behind it.
> >
> To be clear, the problem is entirely on the Linksys end (ie: the windows
> box that works when not behind the router is behind the linksys router,
> not the Dachstein box)?
Correct.
> Assuming an affirmative answer to the above, you'll need to setup the > Linksys box in a VPN pass-through mode (I'm not sure if it supports > this), or provide some details about how you're trying to get it to > connect to the Dachstein box.
I was not able to make this work, though I did not try *really* hard. It certainly did not work out of the box as I might have expected it to. I could make a Windows 2000 computer connect to Dachstein if the Windows box were directly connected to the Internet. However, if I moved it behind the Linksys, with IPsec pass-through enabled, it would not work. From my research, it seems that you need "nat_transversal=yes" in your IPsec configuration, but <1.92 does not support this. 1.91 is the newest version for Dachstein, AFAIK.
> After a quick review of the Linksys manual for your box, it looks like > it should work fine as an IPSec gateway with Dachstein's IPSec, as long > as you get the configuration correct. Make sure you're selecting 3DES, > SHA, IKE (with perfect-forward-security), and have a properly setup > pre-shared key.
This was the largest source of problem. The Bering instructions say to use MD5, unless I'm reading them wrong. I assumed that the default would be the same for Dachstein's IPsec. This is no the case.
Specifically, you need 1024-bit SHA. The Linksys supports 768 and 1024. Dachstein supports 1024 and 1536. Obviously, only 1024 is in common.
> > Also, is there a newer version of FreeS/WAN for Dachstein? I have some
> > routing issues that is making the migration to Bering difficult at the
> > moment...
>
> Not That I'm aware of...
Nor am I. I would upgrade to Bering here, but there are some routing issues more easily solved with Dachstein.
Thank you very much for your help. The pointer to SHA was invaluable. I would have probably only tried that if I got to the, "well, let's see what else I can change" stage. It saved me much frustration.
Tim Massey
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
