IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] IKE source port aother than 500

From: Roland Gafner (Roland.Gafner_at_celeris.ch)
Date: Thu Mar 14 2002 - 08:55:15 CET

Grüezi Andreas,

thanks for replying.

>In the case of NAT you must declare the inner IP address
>explicitely
>
> left=%any
> leftsubnet=<inner IP address>/32

I just added "leftsubnet=my.int.ip.addr/32" to my gateways ipsec.conf, so it looks like this:

conn %default
        keyingtries=1
        #disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        right=217.162.69.72
        rightsubnet=192.168.0.0/24
        rightid="C=CH,ST=Zurich,O=Roland Gafner,OU=fw02,CN=Roland Gafner,Email=roland.gafner_at_gmx.net"

conn notebook_client_behind_masq_firewall
        left=%any
        leftsubnet=my.int.ip.addr/32
        auto=add

With my.int.ip.addr being the internal ip of the client.
Maybe I still got something wrong , because I still get this log entry :

ignoring Vendor ID payload
initial Main Mode message received on 217.162.69.72:500 but no connection has been authorized
ignoring Delete SA payload

And when sniffing on the freeSwan gateways external address I see the IKE requests coming from :

masq.firewall.ip.address:any_port======>217.162.69.72:500

Wth masq.firewall.ip.address being the external ip of our masquerading firewall.
But I don't see any replys back from the gateway to the masq_firewall, just the log entries.

Any Ideas would be very much appreciated.

brgds
Roland

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST