Dizzy wrote:
Salut
Incerc sa mut un freeswan cu 2.4.x pe un openswan cu 2.6.x (debian ambele).
Copiat configuratia, editat minimal ca vroia "version 2.0" si scoase niste
chestii cu "plutoload" si in principiu ar fi ceva de genul:
[local-LAN 10.0.1.0/24] <-> [VPN/NAT gw 10.0.1.1/my-ext-IP] <-> (internet) <->
[VPN endpoint their-ext-IP>
conn 10.0.1.0_10.0.0.0
also=default
leftsubnet=10.0.0.0/8
rightsubnet=10.0.0.0/24
auto=start
conn default
right=<my-ext-IP>
rightnexthop=<my-ext-gw>
rightrsasigkey=%cert
leftrsasigkey=%cert
left=<their-ext-IP>
authby=secret
type=tunnel
compress=yes
pfs=yes
auth=esp
ike=3des-md5
esp=3des-md5
Se intampla ceva foarte dubios in momentul in care se activeaza "conn
10.0.1.0_10.0.0.0" din ipsec.conf si anume pachetele originate de pe masina
VPN locala (cu ip local 10.0.1.1) catre orice IP local direct conectat cu ea
(10.0.1.x) sunt trimise aparent (conform tcpdump) pe interfata externa in loc
sa fie pe cea interna (si evident nu ajung in calculatoarele destinatie).
Rutele sunt OK atat conform "route -nC | grep <ip-destinatie>" cat si "ip
route get <ip-destinatie>" si arata ca ar fi trebuit sa fie trimis prin
interfata interna dar cumva codul ipsec din kernel schimba rutarea in mod
complet netransparent.
Ceva idei?
vezi sa nu fi trecut invers left/leftnetwork si right/rightnetwork. been
there, done that :)
--
Quote from the Boss: "Teamwork is a lot of people doing what I say."
(Marketing executive, Citrix Corporation)
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
