-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Hendrickx wrote: | Here's my very easy test-setup: | | 192.168.2.1/30 | --------------- | | | Privat | | | | subnet |---- |LEAFSys| ---- |Roadwarrior pc| | | | | | | --------------- | |- 192.168.2.2/30 | | 192.168.1.254 | 192.168.1.0/24 | | leaf = left | pc = right | | new ipsec settings which are the same on both: | | conn road | left=192.168.2.1 | leftsubnet=192.168.1.0/24 | leftnexthop=192.168.2.2 | [EMAIL PROTECTED] | leftcert=firewall.pem | right=192.168.2.2 | rightsubnet=192.168.2.2/32 | rightnexthop=192.168.2.1 | [EMAIL PROTECTED] | rightcert=client.pem | auto=start (=add at the leafsystem) | | to make ipsec work however I had to give in a default route, otherwise | it wouldn't start .. So I've put on both as default route the direct | interface pointing to each other (eth0 both) | and only then "/etc/init.d/ipsec start" works on the leaf system the | ipsec is now ok I guess: | ip address show: | ipsec0: <NOARP, UP> mtu 16260 qdisc pfifo_fast qlen 10 | link/ether 00:10:f3:06:4c:51 brd ff:ff:ff:ff:ff:ff | inet 192.168.2.1/30 brd 192.168.2.3 scope global ipsec0
Hmm...it's been quite a while since I used *swan, but IIRC you don't want to have a rightsubnet defined for your roadwarrior, and I'm pretty sure if you *DO* have a rightsubnet setting it should be for a network behind the roadwarrior, and *NOT* the roadwarrior's upstream network. You might want to use something like: ~ right=%defaultroute to avoid having to specify an IP address and next-hop on the roadwarrior (which will likely be on DHCP, so the values would be changing all the time). Also, configuring shorewall for IPSec traffic can be tricky, and could be why things seem to be hanging (timeouts can be very long...monitor traffic with tcpdump or similar to verify you don't have firewall rules causing problems). You might want to diable all firewall rules until you get a connection going, then run shorewall and you'll know if things break you have to fix firewall rules, not IPSec connections. - -- Charles Steinkuehler [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFID1tjLywbqEHdNFwRAj17AKCk6Xm/pn0mIxhgw/5QtkfeVPAfuQCeLyeE +b+w8RIS56Fv3wbrM02uGVU= =CVBs -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/