RE: [leaf-user] Road-warrior trouble: was Please Help: How to turn on Nat Traversal in Bering?

Tue, 27 Jul 2004 05:08:03 -0700 


-----Original Message-----
From: Erich Titl [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 26, 2004 4:00 PM
To: Tibbs, Richard; [EMAIL PROTECTED]
Subject: RE: [leaf-user] Road-warrior trouble: was Please Help: How to turn on Nat 
Traversal in Bering?


Rick

At 19:56 26.07.2004, you wrote:
><After long delay getting back to this...>
>Thanks, Erich!
>Yes, nat_traversal=yes removes the [disabled] portion of the auth.log
>record. This is on both firewalls below.

Mhhh, so nat-traversal is compiled in


>But, I am having other problems with the home win2k machine. What I am 
>doing is using Bering 1.2 at both "home" and "work" firewalls. Home is 
>Bering 1.2 on two floppys, internal network 192.168.1.0/24, ext. static 
>IP 216.12.x.y . Work firewall is Bering CD, internal 192.168.10.0/24 
>external IP 137.45.w.z.
>
>The setup is
>W2k --- homefw --- internet ---university.net -- W2k --- ethsw --- 
>workfw
>--- int.subnet
>^            ^                                     ^              ^
>192.168.1.3  216.12.x.y                       137.45.p.q      137.45.w.z 
>192.168.10.0/24
>Can't ping 192.168.10.13                 Can ping 192.168.10.13
>
>The symptom is that with identical road-warrior style configs on both 
>W2K
>machines, the results are different.  Also, the university has no firewall 
>(checked with acad. Computing).
>We have university laptops that we take home with the cisco ipsec client 
>and I can attach these to the internal home network and connect up fine... 
>So the university router ACLs appear to allow ipsec traffic in and out.

OK, but NAT occurs on both homefw _and_ workfw?
Rick:Yes, masquerading on outbound traffic (SNAT)

>This is with outbound-filter (same on both win2k security settings) 
>source = my ipaddress/32 dest= 192.168.10.0/24
>out-tunnel = 137.45.192.69 --- work fw external IP
>
>inbound-filter
>source= 192.168.10.0/24
>dest=my IP addresss/32
>in-tunnel = 192.168.1.3 (ip address on home win2k machine)

Are these the Cisco settings, so the Cisco VPN client builds a tunnel to 
137.45.192.69?
Rick: Nope, the cisco client connects to, I suspect, a cisco router running a vpn 
server. 

>I get no event errors in the Event Viewer, no shorewall log errors, but 
>100% packet loss over all 12 pings.

Pings from where to where?
Rick: Pings from the win2k machine to a machine (192.168.10.13) on the office network.

>The only salient differences seem to be that
>1) in the inbound tunnel address is private address on home w2k, and
>2) going trhough two firewalls instead of one.

Mhhh... at home your source address is in the 192.168.1.0/24 subnet, at 
work it is in the 137.45.x.y subnet
Rick: Yes. 

What about ipsec barf? Not that I am very good at deciphering it, but it 
holds a lot of information.
Rick: I will give that a try & get back to you later.

cheers

Erich

THINK
P�ntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to