IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Can't ping gateway and machines behind gateway

From: John A. Sullivan III (John.Sullivan_at_nexusmgmt.com)
Date: Wed Apr 24 2002 - 16:35:22 CEST

I don't have the answer but I'll ask two questions to try to point you
in a direction. How do the packets get from your Road Warriors to the
Free S/WAN gateway? Assuming they make it to the gateway and are then
forwarded on to the target, how does the target know to send the reply
packets to the Free S/WAN gateway rather than the default router? - John

On Wed, 2002-04-24 at 04:01, Gerhard Hofmann wrote:
> Hi list,
>
> we want to use Free S/WAN (with X.509 patches) to allow roadwarriors
> connecting to our corporate LAN. The roadwarrior notebooks use the ipsec
> tools provided at vpn.ebootis.de
>
> It seems that a roadwarrior can establish a tunnel to the VPN gateway,
> excerpt from /var/log/messages:
> Apr 24 09:19:57 slinux1 Pluto[6559]: | instantiated "roadwarrior" for
> 62.246.11.140
> Apr 24 09:19:57 slinux1 Pluto[6559]: | creating state object #1 at 0x80a4908
> Apr 24 09:19:57 slinux1 Pluto[6559]: | ICOOKIE: 62 18 37 80 48 ad 1f 70
> Apr 24 09:19:57 slinux1 Pluto[6559]: | RCOOKIE: 45 fb 5c 0c 6e 1c 9d 45
> Apr 24 09:19:57 slinux1 Pluto[6559]: | peer: 3e f6 0b 8c
> Apr 24 09:19:57 slinux1 Pluto[6559]: | state hash entry 0
> Apr 24 09:19:57 slinux1 Pluto[6559]: | inserting event EVENT_SO_DISCARD,
> timeout in 0 seconds for #1
> Apr 24 09:19:57 slinux1 Pluto[6559]: "roadwarrior" 62.246.11.140 #1:
> responding to Main Mode from unknown peer 62.246.11.140
>
> I hope I interpret this messages correctly.
>
>
> Our problem: the roadwarrior can't ping machines on our LAN.
>
> Our LAN looks like this:
>
>
> Internet
> |
> Internet Router (public IP 213.83.5.2 / private IP 192.168.1.97)
> |
> Freeswan Gateway (192.168.1.18)
> |
> some Windows machines (192.168.1.x)
>
>
> The freeswan gateway has only one network card, like all other machines in
> our LAN except for the Internet Router. Could this be the problem? Is it
> necessary for the VPN gateway to have two network cards?
> IP forwarding is enabled in the rc.config file of the freeswan gateway, I am
> not sure if that does make sense with only one network card.
>
> The internal IP 192.168.1.97 of the internet router has been configured as
> default gateway on all our machines, including the freeswan gateway.
>
> Maybe I must add something to /etc/route.conf file on the freeswan gateway?
>
> Any help would be highly appreciated.
> ipsec.conf files of gateway and roadwarrior and /var/log/messages are
> attached.
>
> By the way:
> are there any other (intermediate) debugging levels besides "all" and
> "none". The messages file becomes very huge, but I don't want to turn off
> debugging completely.
>
>
> TIA
> Gerhard Hofmann
>
>
>
> //////
> ( o o )
> +--.oooO--(_)--Oooo.----------------------------+
> | Gerhard Hofmann |
> | Planat GmbH |
> | Tel. 0711-16756-26 |
> | Fax 0711-16756-99 |
> | .oooO gerhard.hofmann_at_planat.de |
> | ( ) Oooo. |
> +-----\ (----( )------------------------------+
> \_) ) /
> (_/
> 

-- 
John A. Sullivan III
Group Technology Director
Nexus Management
+1 207-985-7880
John.Sullivan_at_nexusmgmt.com

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:53 CEST