-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen More wrote:
| | On 11/14/04, *Charles Steinkuehler* <[EMAIL PROTECTED] | <mailto:[EMAIL PROTECTED]>> wrote: | - If you're trying to use the Linksys IPSec 'passthrough' mode, you would | *NOT* use nat_traversal (ie: they're two different solutions to the same | problem). Specifically, try with nat_traversal=no on the LEAF side, and | the IPSec Passthrough on the Linksys enabled. | | Can you provide a good resource on how to debug/troubleshoot ipsec | connection problems ? Debuggin IPSec is just a more complex version of standard network troubleshooting. Start by understanding the protocols involved, and use appropriate tools to detect problems. Typically, packet sniffers and visual inspection of runtime configurations (ie: tcpdump, ipsec look, etc) are some of the main tools I use when debugging IPSec links. | I am currently trying to troubleshoot why I can connect to a VPN using | ipsec, but I can not send any traffic to hosts behind the VPN server. | | At this point I am not sure if it is a ipsec problem/firewall | problem/routing problem/NAT-T/pass through or a mixture of all. This could be caused by routing issues, firewall issues (make sure you're allowing protocols 50/51 as well as UDP port 500, which sets up the SA), configuration issues (it can be tricky to understand how IPSec interacts with standard routing on linux). Without more to go on, I can't suggest any possible solutions, other than to crawl through the output of "ipsec look" (and ipsec barf, if you're feeling brave), then dig out tcpdump and start sniffing traffic to make sure the expected packets are actually showing up on both ends. NOTE: Some ISPs actively filter IPSec traffic on 'consumer' or 'residential' service, requiring you to upgrade to a 'business' class service to use a VPN. In these cases, you can typically use NAT traversal (which avoids sending the odd-ball protocol 50/51 traffic, and instead tunnels it through UDP) to get around the problem. - -- Charles Steinkuehler [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDFRm1LywbqEHdNFwRAlMeAKDncY2n4a/VNdS+EHlaF5fuG2Uu6gCg/oxm G65HjYEeQQYnKocY4zpmGUk= =1D4F -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
