Hi,
ipsec eroute shows following :
0 192.168.10.0/24 : 0 -> 217.81.76.226/32 : 0 -> [EMAIL PROTECTED]:0
Firewall does install the bidirectional forward rule for the subnet and the roadwarrior.
Greets Torsten
| Andreas Steffen <[EMAIL PROTECTED]>
15.08.2003 12:33 |
An: [EMAIL PROTECTED] Kopie: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Thema: Re: [Users] IPsec Routing Problem |
Which eroute does the command
ipsec eroute
show?
Does your firewall insert a bidirectional forward rule between your
subnet and the roadwarrior attached to ipsec0?
Regards
Andreas
[EMAIL PROTECTED] wrote:
> Hi all,
>
> I've gone through lots of Mail-Lists , Sites and other stuff now but
> couldnt find any help.
> We have setup a VPN for Road-Warriors to connect to our company network.
> The
> Road-Warriors may have subnets behind them, but so far we only want them
> to connect
> to our network directly. So the basic network structure would look like
> this :
>
>
> ============ 62.154.216.60/32
> Win XP Client ===== Internet ======= eth1
> 217.8165.58 ============ Gateway / FreeSwan
> eth0
> 192.168.10.40 ====== Subnet
> 192.168.10.0/24
>
>
> The connection is established correctly , but we can't ping any node in
> the company network.
> From what I can see with tcpdump ( for example when I ping 192.168.10.30
> in our network ) the
> packets go through the gateway to the pinged node and also come back on
> ipsec0 on the
> gateway, but then they are lost somehow. So what I guess atm is that the
> routing from the gateway
> back to the Win XP Client does not work. What im really wondering about is
> why I can't see the
> ping packets arrive on eth1 on the gateway nor on eth0 when they come back
> from the internal network.
> From what I have understood IPsec packets would arrive as normal packets
> on eth1 , be decrypted
> and passed through to the virtual ipsec interfaces.
> Anyhow, here are my setups :
>
> Windows XP Client ipsec.conf :
>
> conn tbe
> network=ras
> auto=start
> authmode=MD5
> left=%any
> leftcert=tbeCert.pem
> right=62.154.216.60
> rightsubnet=192.168.10.0/24
> rightca="C=DE,L=Hamburg,O=SMK-GMBH,CN=SMK-CA"
> pfs=yes
> rekey=3600S/50000K
>
>
> Gateway ipsec.conf :
>
> interfaces="ipsec0=eth1"
> klipsdebug=all
> plutodebug=all
> pluto=yes
> uniqueids=no
>
> conn %default
> keyingtries=1
> disablearrivalcheck=no
> authby=rsasig
> rightrsasigkey=%cert
> auto=add
> #leftrsasigkey=%cert
> left=62.154.216.60
> leftnexthop=62.154.216.57
> leftupdown=/usr/local/lib/ipsec/_updown_x509
> leftcert=goldCert.pem
> leftsubnet=192.168.10.0/24
> leftid="C=DE, L=Hamburg, O=SMK-GMBH, CN=SMK-GOLD"
> rekey=yes
>
> conn tbe
> right=%any
> rightid="C=DE, L=Hamburg, O=SMK-GMBH, CN=SMK-TBE"
> left=62.154.216.60
> leftnexthop=62.154.216.57
> leftsubnet=192.168.10.0/24
>
>
>
> This is the routing table after the connection has been established :
>
> Kernel IP Routentabelle
> Ziel Router Genmask Flags Metric Ref
> Use Iface
> 217.81.65.58 62.154.216.57 255.255.255.255 UGH 0
> 0 0 ipsec0
> 62.154.216.56 0.0.0.0 255.255.255.248 U
> 0 0 0 eth1
> 62.154.216.56 0.0.0.0 255.255.255.248 U
> 0 0 0 ipsec0
> 192.168.10.0 0.0.0.0 255.255.255.0 U 0
> 0 0 eth0
> 10.0.0.0 192.168.10.188 255.0.0.0 UG 0
> 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0
> 0 0 lo
> 0.0.0.0 62.154.216.57 0.0.0.0 UG
> 0 0 0 eth1
>
>
> I have not included my Firewall setup as I think that is ok but can post
> it of course.
>
> Many Thanks in advance,
> Torsten Bergeest
>
>
--
=======================================================================
Andreas Steffen e-mail: [EMAIL PROTECTED]
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
