On 10/14/06, J. Ryan Earl <[EMAIL PROTECTED]> wrote:
Well, I'm trying to route between a 10.2.3.0/24 and 192.168.2.0/24
network... Is that not some part of this functionality? I mean, is
there any reason to not have the kernel support this?
Not the point of my question.
Here's my Cisco crypto map:
Crypto Map "dynaconnections" 5 ipsec-isakmp
Peer = 216.62.203.233
access-list dynaconnections; 1 elements
access-list dynaconnections line 1 permit ip 10.2.3.0
255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=2737218)
Current peer: 216.62.203.233
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={ ESP-AES-256-SHA, }
Here's my access-list:
access-list dynaconnections line 1 permit ip 10.2.3.0 255.255.255.0
192.168.2.0 255.255.255.0 (hitcnt=2737218)
This is my ISAKMP policy:
isakmp key ******** address 216.62.203.233 netmask 255.255.255.255
isakmp identity address
isakmp policy 4 authentication pre-share
isakmp policy 4 encryption aes-256
isakmp policy 4 hash sha
isakmp policy 4 group 5
isakmp policy 4 lifetime 86400
That's the sum whole configuration on the Cisco side. I'm not really
sure what I would change. This is a network-to-network VPN tunnel.
Perhaps "IPSec NAT Traversal" support is required in the kernel for
this? Is there anyway for me to install a test kernel?
Geee, sure wish people had tested IPSec NAT Traversal when we asked
for testers. We got no positive (or negative) feedback and it was
pulled - too late in the release phase to leave it in for long. I
don't know anything about the Cisco side of things, hopefully someone
else can help you get it configured. But NAT-T on the Cisco side
certainly seems to be the source of your problems.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
