RW wrote: > I have a simple setup. > Sydney to Melbourne and the ipsec.conf is one of the nice easy ones > whilst I learn to do more complex setups. It has been working for > months. > > Today doing "ipsecctl -s all" at either end generates the expected > output. Each is a mirror of the other. > > netstat -rnf encap shows expected output at both ends. Again mirrors of > the other. > > However sshing into each and doing a traceroute to t'other end gives > madly assymetric results. > > With the distant gateway as the target Syd gets to Mel in one hop, as > expected. > Mel gets to Syd going out the $ext_if rather than the encap. As the > LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel. > >
i wouldn't expect you to have a route not set on the isakmpd endpoints, but i have a "route add <remote net> <internal private IP>" in the hostname.if files for the internal interfaces on both endpoints. that's the only thing i can think of that would work for a while (manually added routes) and then stop working after, say, a reboot of one endpoint. cheers, jake > Killing (desperation set in) isakmpd and restarting both ends did > nothing to change the situation. > > What kind of diagnostics can I use to debug this? Extra points for a > correct guess as to the cause all this time after installation. > > Thanks, > Rod. > > From the land "down under": Australia. > Do we look <umop apisdn> from up over?
