ipsec eroute
show?
Does your firewall insert a bidirectional forward rule between your subnet and the roadwarrior attached to ipsec0?
Regards
Andreas
[EMAIL PROTECTED] wrote:
Hi all,
I've gone through lots of Mail-Lists , Sites and other stuff now but couldnt find any help.
We have setup a VPN for Road-Warriors to connect to our company network. The
Road-Warriors may have subnets behind them, but so far we only want them to connect
to our network directly. So the basic network structure would look like this :
============ 62.154.216.60/32
Win XP Client ===== Internet ======= eth1 217.8165.58 ============ Gateway / FreeSwan
eth0
192.168.10.40 ====== Subnet
192.168.10.0/24
The connection is established correctly , but we can't ping any node in the company network.
From what I can see with tcpdump ( for example when I ping 192.168.10.30 in our network ) the
packets go through the gateway to the pinged node and also come back on ipsec0 on the
gateway, but then they are lost somehow. So what I guess atm is that the routing from the gateway
back to the Win XP Client does not work. What im really wondering about is why I can't see the
ping packets arrive on eth1 on the gateway nor on eth0 when they come back from the internal network.
From what I have understood IPsec packets would arrive as normal packets on eth1 , be decrypted
and passed through to the virtual ipsec interfaces.
Anyhow, here are my setups :
Windows XP Client ipsec.conf :
conn tbe network=ras auto=start authmode=MD5 left=%any leftcert=tbeCert.pem right=62.154.216.60 rightsubnet=192.168.10.0/24 rightca="C=DE,L=Hamburg,O=SMK-GMBH,CN=SMK-CA" pfs=yes rekey=3600S/50000K
Gateway ipsec.conf :
interfaces="ipsec0=eth1" klipsdebug=all plutodebug=all pluto=yes uniqueids=no
conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
auto=add
#leftrsasigkey=%cert
left=62.154.216.60
leftnexthop=62.154.216.57
leftupdown=/usr/local/lib/ipsec/_updown_x509
leftcert=goldCert.pem
leftsubnet=192.168.10.0/24
leftid="C=DE, L=Hamburg, O=SMK-GMBH, CN=SMK-GOLD"
rekey=yes
conn tbe
right=%any
rightid="C=DE, L=Hamburg, O=SMK-GMBH, CN=SMK-TBE"
left=62.154.216.60
leftnexthop=62.154.216.57
leftsubnet=192.168.10.0/24
This is the routing table after the connection has been established :
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
217.81.65.58 62.154.216.57 255.255.255.255 UGH 0 0 0 ipsec0
62.154.216.56 0.0.0.0 255.255.255.248 U 0 0 0 eth1
62.154.216.56 0.0.0.0 255.255.255.248 U 0 0 0 ipsec0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 192.168.10.188 255.0.0.0 UG 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 62.154.216.57 0.0.0.0 UG 0 0 0 eth1
I have not included my Firewall setup as I think that is ok but can post it of course.
Many Thanks in advance, Torsten Bergeest
-- ======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Zürichweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
