On Tuesday 12 August 2003 11:37, you wrote: dap, merge, totul e ok, it establishes the connection. Yo am incercat sa ping-uiesc gateway-urile intre ele adica, de pe left am dat ping de pe un gateway pe ip-ul extern al celuilalt si am primit reply, dar daca dau ping de pe un gateway, pe ip-ul privat al celui de-al doilea gw, nu primesc reply mai exact
10.0.1.0/24 -> a.b.c.d------x.y.w.z <- 10.0.2.0/24 si primul gw are ip-ul 10.0.1.1 pe subnet-ul lui si cel de-al II-lea 10.0.2.1 pe subnet-ul lui de pe prinul gw: ping x.y.w.z primeste reply in schimb ping 10.0.2.1 nu da reply, si am ip_forward 1, ipsec auto --route epowe-mail ....tot nu mere, dar am inteles din HOWTO ca cica e normal sa nu mearga :) dar ping de pe 10.0.1.2 (un comp din primul subnet) pe 10.0.1.2 (un comp din al II-lea subnet) tre sa mearga (lucru neincercat de mine ca nu am avut coampele) Ce credeti, e bine? > On Tuesday 12 August 2003 11:32, Balu Stefan wrote: > Adica daca pe host 1 ai > conn host1-hos2 > left =10.x.y.z > right =10.w.z.t > ... > pe host 2 pui tot > conn host1-host2 > left=10.x.y.z > right=1-.w.y.t > ... > > > On Tuesday 12 August 2003 11:26, you wrote: > > > > cum adica left-ul si right-ul raman acelasi? > > adica nu ma mai joc cu ipsec showhostkey --left pentru left si > > --right pt right? or what? > > > > > On Tuesday 12 August 2003 10:50, Balu Stefan wrote: > > > Salve > > > In primul rand ce versiune de ipsec folosesti? (1 sau 2) > > > De obicei la instalare se pun key-uri default. Incearca sa le > > > regenerezi: ipsec newhostkey --bits 1024 > /etc/ipsec.secrets > > > Pe ambele gw-uri folosesti acelasi fisier ( left-ul si right-ul > > > raman acelasi), se prine el cum tre' sa le puna. > > > > > > Uite un ex: > > > > > > conn defender-depozit > > > # Left security gateway, subnet behind it, next hop > > > toward right. left=10.x.y.2 > > > leftsubnet=192.168.1.0/24 > > > leftnexthop=10.x.y.1 > > > # Right security gateway, subnet behind it, next hop > > > toward left. right=10.w.z.2 > > > rightsubnet=192.168.2.0/24 > > > rightnexthop=10.w.z.1 > > > # To authorize this connection, but not actually start > > > it, at startup, # uncomment this. > > > keyingtries=0 > > > auth=ah > > > authby=rsasig > > > leftrsasigkey=... > > > rightrsasigkey=... > > > auto=start > > > > > > > Am 2 gateway-uri cu ip-urile la internet 1.2.3.4 si 5.6.7.8 > > > > Aceste 2 gw-uri au cate o subretea 10.0.1.0/24 si 10.0.2.0/24 > > > > intre ele este internetul si acestea au ca default route un > > > > gateway al ISP1 si ISP2 > > > > > > > > toate cele bune, ambele sunt Gentoo linux, cu kernel 2.4.20 cu > > > > suport de ipsec, si cu freeswan instalat. > > > > > > > > in /etc/ipsec/ipsec.conf avem: > > > > > > > > config setup > > > > # THIS SETTING MUST BE CORRECT or almost nothing will work; > > > > # %defaultroute is okay for most simple cases. > > > > interfaces=%defaultroute > > > > # Debug-logging controls: "none" for (almost) none, "all" for > > > > lots. klipsdebug=none > > > > plutodebug=none > > > > # Use auto= parameters in conn descriptions to control startup > > > > actions. plutoload=%search > > > > plutostart=%search > > > > # Close down old connection when new one using same ID shows > > > > up. uniqueids=yes > > > > > > > > > > > > conn epower-mail > > > > # Left security gateway, subnet behind it, next hop toward > > > > right. left=192.168.0.1 > > > > leftsubnet=10.0.0.0/24 > > > > leftnexthop=%defaultroute > > > > [EMAIL PROTECTED] > > > > leftrsasigkey=0sAQN5KYwI4w.... (mi-am permis sa scot > > > > id-ul) # Right security gateway, subnet behind it, next hop > > > > toward left. right=192.168.0.2 > > > > rightsubnet=10.0.1.0/24 > > > > rightnexthop=%defaultroute > > > > [EMAIL PROTECTED] > > > > rightrsasigkey=0sAQPN2eLf9jli/m+h...(mi-am permis sa > > > > scot id-ul) auto=add > > > > > > > > key-urile le-am generat cu ipsec showhostkey --left pentru left > > > > si ipsec showhostkey --right pentru right > > > > ...so...ii dau pe ambele: > > > > > > > > #ipsec setup start > > > > #ipsec auto --up epower-mail > > > > > > > > si teoretic tre sa vad un SA established, or anything... > > > > dar mie-mi zice ca: retransmission; will wait 20s for response > > > > > > > > pe consola, mai zice ca no preshared key found for > > > > @epower.abc.com and @mail.efg.com ... > > > > > > > > wtf am I doing wrong?! > > > > > > --- > > > Detalii despre listele noastre de mail: http://www.lug.ro/ > > --- > Detalii despre listele noastre de mail: http://www.lug.ro/ -- Stefan, a simple Debian user. Linux registered user: #272012 [Linux is Friendly. It's just selective about who his friends are.] --- Detalii despre listele noastre de mail: http://www.lug.ro/
