RE: [leaf-user] Road-warrior trouble: was Please Help: How to turn on Nat Traversal in Bering?

Mon, 26 Jul 2004 13:11:04 -0700 

Rick

At 19:56 26.07.2004, you wrote:
<After long delay getting back to this...>
Thanks, Erich!
Yes, nat_traversal=yes removes the [disabled] portion of the auth.log record. This is on both firewalls below. 

Mhhh, so nat-traversal is compiled in


But, I am having other problems with the home win2k machine.
What I am doing is using Bering 1.2 at both "home" and "work" firewalls.
Home is Bering 1.2 on two floppys, internal network 192.168.1.0/24, ext. static IP 216.12.x.y .
Work firewall is Bering CD, internal 192.168.10.0/24 external IP 137.45.w.z.

The setup is
W2k --- homefw --- internet ---university.net -- W2k --- ethsw --- workfw --- int.subnet
^ ^ ^ ^
192.168.1.3 216.12.x.y 137.45.p.q 137.45.w.z 192.168.10.0/24
Can't ping 192.168.10.13 Can ping 192.168.10.13

The symptom is that with identical road-warrior style configs on both W2K machines, the results are different. Also, the university has no firewall (checked with acad. Computing).
We have university laptops that we take home with the cisco ipsec client and I can attach these to the internal home network and connect up fine... So the university router ACLs appear to allow ipsec traffic in and out. 

OK, but NAT occurs on both homefw _and_ workfw?


This is with outbound-filter (same on both win2k security settings)
source = my ipaddress/32
dest= 192.168.10.0/24
out-tunnel = 137.45.192.69 --- work fw external IP

inbound-filter
source= 192.168.10.0/24
dest=my IP addresss/32
in-tunnel = 192.168.1.3 (ip address on home win2k machine)

Are these the Cisco settings, so the Cisco VPN client builds a tunnel to 137.45.192.69?


I get no event errors in the Event Viewer, no shorewall log errors,
but 100% packet loss over all 12 pings.


Pings from where to where?


The only salient differences seem to be that
1) in the inbound tunnel address is private address on home w2k, and
2) going trhough two firewalls instead of one.

Mhhh... at home your source address is in the 192.168.1.0/24 subnet, at work it is in the 137.45.x.y subnet

What about ipsec barf? Not that I am very good at deciphering it, but it holds a lot of information.

cheers

Erich

THINK
P�ntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to