Hi,
I have the following setup...
branch
office
clean lan dirty lan
10.1.10.0/25 10.1.10.128/25
| linux
+------- 10.1.10.1 10.1.10.129 ======+------NAT----> head office 10.0.0.0/8
| freeswan |
| on this NIC |
| V
wireless client
running SSH sentinel
10.1.10.139
I have 2 VPNs set up one which goes 10.1.10.0/24 <-> 10.0.0.0/8 to connect the branch office to the main office, and one which goes $subnet <-> 10.1.10.139/32 to connect the wireless client to the rest of the corporate LAN.
If I set $subnet to 10.1.10.0/24 then I can see the branch office clean LAN from the wireless client as you might expect, and can successfully ping 10.1.10.1
If I set $subnet to 0.0.0.0/0 then if I try to ping 10.1.10.1 from the wireless client then the ping gets IPSec'd by Sentinel, unIPSec'd by freeswan and reaches 10.1.10.1 as desired. The ping response is correctly addressed to 10.1.10.139, gets IPSec'd by freeswan, but instead of going down the tunnel back to the wireless client, it goes down the tunnel to head office!
RedHat 7.2 kernel 2.4.7-10 + Freeswan 1.96 + X.509
If I completely close down the connection to head office then the wireless client starts working. It looks like freeswan is making the wrong choice of VPN because the source address matches better on the head-office tunnel, rather than seeing that the target address is much better matched for the wireless-client tunnel.
The order of the tunnel declarations in ipsec.conf seems to be irrelevant.
Any ideas what is going wrong here?
thanks,
John
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:58 CEST