An ipsec question

stan Mon, 22 Jan 2007 20:12:01 -0800

I've got some basic tuneling working using ipsec, and I'm trying to make it
a bit more robuts. Here's what works:


Machine A:

ike esp from 192.168.1.0/24 to 192.168.9.0/24 peer XX.92.176.37
ike esp from XX.92.176.33 to 192.168.9.0/24 peer XX.92.176.37
ike esp from XX.92.176.33 to XX.92.176.37

Machine B:

ike esp from 192.168.9.0/24 to 192.168.1.0/24 peer XX.92.176.33
ike esp from 192.168.9.0/24 to 192.168.8.0/24 peer XX.92.176.33
ike esp from XX.92.176.37 to XX.92.176.33

Now both machines are in active mode, which seems a bit of an issue, and
machine B has a dynamic IP (with fixed name), so I changed these to:

Machine A:

ike passive esp from 192.168.1.0/24 to 192.168.9.0/24 peer XX.92.176.37
ike passive esp from XX.92.176.33 to 192.168.9.0/24 peer XX.92.176.37
ike passive esp from XX.92.176.33 to XX.92.176.37

Machine B:

ike dynamic esp from 192.168.9.0/24 to 192.168.1.0/24 peer XX.92.176.33
ike dynamic esp from 192.168.9.0/24 to 192.168.8.0/24 peer XX.92.176.33
ike dynamic esp from XX.92.176.37 to XX.92.176.33

But now machine "A" can't ping the interface to the internal net on "B"
"B" CAN ping the internal interface on "A"

The problem seems to be lack of a route on A

A's routes:

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
XX.92.176.37/32    0     XX.92.176.33/32    0     0
XX.92.176.37/esp/use/in
XX.92.176.33/32    0     XX.92.176.37/32    0     0
XX.92.176.37/esp/require/out
XX.92.176.37/32    0     192.168.1/24       0     0
XX.92.176.37/esp/use/in
192.168.1/24       0     XX.92.176.37/32    0     0
XX.92.176.37/esp/require/out
192.168.9/24       0     192.168.1/24       0     0
XX.92.176.37/esp/use/in
192.168.1/24       0     192.168.9/24       0     0
XX.92.176.37/esp/require/out
XX.92.176.35/32    0     XX.92.176.33/32    0     0
XX.92.176.35/esp/use/in
XX.92.176.33/32    0     XX.92.176.35/32    0     0
XX.92.176.35/esp/require/out
XX.92.176.35/32    0     192.168.1/24       0     0
XX.92.176.35/esp/use/in
192.168.1/24       0     XX.92.176.35/32    0     0
XX.92.176.35/esp/require/out
192.168.8/24       0     192.168.1/24       0     0
XX.92.176.35/esp/use/in
192.168.1/24       0     192.168.8/24       0     0
XX.92.176.35/esp/require/out

And B's routes:

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
XX.92.176.33/32    0     XX.92.176.37/32    0     0
XX.92.176.33/esp/use/in
XX.92.176.37/32    0     XX.92.176.33/32    0     0
XX.92.176.33/esp/require/out
192.168.1/24       0     XX.92.176.37/32    0     0
XX.92.176.33/esp/use/in
XX.92.176.37/32    0     192.168.1/24       0     0
XX.92.176.33/esp/require/out
192.168.1/24       0     192.168.9/24       0     0
XX.92.176.33/esp/use/in
192.168.9/24       0     192.168.1/24       0     0
XX.92.176.33/esp/require/ou

What am I doing wrong here?



-- 
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

An ipsec question

Reply via email to