Tibbs, Richard wrote:
Here is the ipsec.conf file. If you want a barf, let me know. TIA Rick.
As mentioned, you need a nexthop value...in your case, a rightnexthop setting. This should be set to the default gateway of the leaf box.
Alternatively, you can set right=%defaultroute and the rightnexthop setting (along with the appropriate IP for 'right') will get automatically filled in.
Per the ipsec.conf man page for Dachstein (substitute 'right' for 'left' given your config file):
<quote>
left
(required) the IP address of the left participant's public-network interface, in any form accepted by ipsec_ttoaddr(3). If it is the magic value %defaultroute, and interfaces=%defaultroute is used in the config setup section, left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time); this also overrides any value supplied for leftnexthop. (Either left or right may be %defaultroute, but not both.) The magic value %any signifies an address to be filled in (by automatic keying) during negotiation; the magic value %opportunistic signifies that both left and leftnexthop are to be filled in (by automatic keying) from DNS data for left's client.
leftnexthop
next-hop gateway IP address for the left participant's connection to the public network; defaults to %direct (meaning right). If the value is to be overridden by the left=%defaultroute method (see above), an explicit value must not be given. If that method is not being used, but leftnexthop is %defaultroute, and interfaces=%defaultroute is used in the config setup section, the next-hop gateway address of the default-route interface will be used. The magic value %direct signifies a value to be filled in (by automatic keying) with the peer's address.
</quote>
For the full man page: http://lrp.steinkuehler.net/Packages/man/IPSec1.91/manpage.d/ipsec.conf.5.html
In summary, since you're explicitly setting 'right', but *NOT* setting 'rightnexthop', FreeS/WAN by default assumes the far end of the connection is directly conected to your 'right' interface, which is what's causing your problems (ie: IPSec traffic not routed through your default gateway).
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
