Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Newbie Question. Routing and ipsec.conf Q

From: Alex Samad (asamad_at_ozemail.com.au)
Date: Wed May 08 2002 - 03:17:05 CEST

Next message: Sam Sgro: "Re: [Users] caveats for interesting setup"
Previous message: users-request: "[Users] Background"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Firstly let me apologies if this has been asked before, had a quick look
through the archive, but initial looks did not find what I was after.

I have just recently downloaded freeswan 1.97 and compiled it into 2.4.18
(on rh7.2).

The machine that I have installed in on is a firewall machine, hiding a
locallan. I am using iptables (NAT).

When I try the test suggested in the doc, using conn me-to-anyone, by using
auto=route. I can ping oetest.freeswan.org and for example
www.yahoo.com.au, from the linux box.

When I go a machine on the locallan, I can still ping oetest.freeswan.org,
but I can not ping www.yahoo.com.au.

I made the necessary changes to my firewall config, basically allowing all
traffic in/out on ipsec0 and add MASQ for ipsec0 in the nat table.

After some playing around I created a different conn definition direct to
oetest.freeswan.org. So I took off the auto command of the me-to-anyone.
When I bring up just the freeswan connection, with auto=start. I can ping
oetest.freeswan.org or www.yahoo.com.au from the gateway machine or one of
the pc's on the locallan.

Is there something strange with the opportunistic to 0/0 address, that
stuffs up the routing table ????? Is this a known problem, any ideas on
what I can do to fix it, or do I just have to more narrowly define my conn
definitions.

My second problem arose from the creation of the freeswan conn. When I use
auto=route or auto=add, and then try /etc/init.d/ipsec restart if complains
about no being able to get any key for oetest.freeswan.org. But if I use
auto=start it works or if I leave auto blank and then at the command line
type

ipsec auto --add freeswan
ipsec auto --route freeswan

it works! I thought this was the same as adding auto=route. Is there a
problem in my definition of freeswan ?

ipsec.conf is below.

Thanxs
Alex

======
ipsec.conf
======
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=all
        pluto=yes
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        forwardcontrol=yes

conn %default
        keyexchange=ike
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dns
        rightrsasigkey=%dns
        keylife=1h
        ikelifetime=1h
        compress=no
conn me-to-anyone
        also=localdef
        right=%opportunistic
        rekey=no

conn freeswan
        # Include localDef
        also=localdef
        # General any point
        right=192.139.46.38
        rightid=mrcharlie.sandelman.ottawa.on.ca
        rightsubnet=192.139.46.73/32
        rekey=no
        pfs=yes

conn localdef
        left=144.132.182.233
        leftnexthop=144.132.176.1
        leftid=@sydlxfw01.dns.samad.com.au

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Sam Sgro: "Re: [Users] caveats for interesting setup"
Previous message: users-request: "[Users] Background"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST