On Mon, May 27, 2002 at 01:48:31PM -0400, Sam Sgro wrote:
> Can you please draw a simple diagram - which box is doing NAT or routing
> functions, internal LAN addresses, etc.
I have a similar problem, I did sent a diagram, but got no answers, hmm
...
My tunnel works, with 2 definitions on both sides, but as I expect many
connections to different internet sites, it could be easier to go with
one tunnel for each connection. Here's the repost of my request (long,
but hopefully complete):
From: Erwin Burgstaller <ber_at_knapp.com>
To: users_at_lists.freeswan.org
Subject: One tunnel plus advanced routing
Hi!
I'm starting with FreeS/WAN and have build up a sample tunnel. In real I
will provide an ipsec tunnel for at least 2 local subnets to one subnet
over the internet. My sample setup looks like this:
192.168.31.3<--->[192.168.31.1 192.168.30.2]
|
|
gateway1 [192.168.30.1 10.17.130.27]
|X|
|X|
[10.17.130.6 192.168.3.2]
|X|
|X|
gateway2 [192.168.3.5 192.168.1.4]<--->[192.168.1.7]
The tunnel is marked with '|X|'.
Everything works fine between 192.168.30.2 and 192.168.1.7 as it should
be.
But I'd like to have 192.168.31.3 also to be able to communicate
with 192.168.1.7, but without building another tunnel. I've tried to set
it up as described below. Each sending side transmits the packet without
any error but on the receiving side it doesn't work:
192.168.31.3# ping 192.168.1.7
May 22 20:00:01 192.168.3.5 kernel: klips_debug:ipsec_rcv: SA:tun0x1003_at_192.168.3.5,
inner tunnel policy [192.168.30.0/24 -> 192.168.1.0/24] does not agree with pkt
contents [192.168.31.3 -> 192.168.1.7]
192.168.1.7# ping 192.168.31.3
May 22 22:23:12 10.17.130.27 kernel: klips_debug:gettdb: linked entry in tdb table for hash=228 of SA:esp0x85c3c434_at_10.17.130.27 requested.
May 22 22:23:12 10.17.130.27 kernel: klips_debug:gettdb: no entries in tdb table for hash=228 of SA:esp0x85c3c434_at_10.17.130.27.
May 22 22:23:12 10.17.130.27 kernel: klips_debug:ipsec_rcv: no Tunnel Descriptor Block for SA:esp0x85c3c434_at_10.17.130.27: incoming packet with no SA dropped
I'm obviously missing something, but unfortunately the documentation
lacks about it.
I have done the following extras:
10.17.130.27# ipsec eroute
369 192.168.30.0/24 -> 192.168.1.0/24 =>tun0x1006_at_192.168.3.5
10.17.130.27# ipsec eroute --add --eraf inet --dst 192.168.1.0/24 \
--src 192.168.31.0/24 --said tun0x1006_at_192.168.3.5
and I've got:
377 192.168.30.0/24 -> 192.168.1.0/24 =>tun0x1006_at_192.168.3.5
0 192.168.31.0/24 -> 192.168.1.0/24 =>tun0x1006_at_192.168.3.5
Routing is:
10.17.130.27# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 10.17.130.6 255.255.255.0 UG 40 0 0 ipsec0
192.168.31.0 192.168.30.2 255.255.255.0 UG 40 0 0 eth1
192.168.30.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
10.17.0.0 0.0.0.0 255.255.0.0 U 40 0 0 eth0
10.17.0.0 0.0.0.0 255.255.0.0 U 40 0 0 ipsec0
Similar I did on the other side, except extra adding a route:
192.168.3.5# route add -net 192.168.31.0/24 gw 192.168.3.2 dev ipsec0
192.168.3.5# ipsec eroute
216 192.168.1.0/24 -> 192.168.30.0/24 =>tun0x1002_at_10.17.130.27
142 192.168.1.0/24 -> 192.168.31.0/24 =>tun0x1002_at_10.17.130.27
192.168.3.5# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
192.168.31.0 192.168.3.2 255.255.255.0 UG 40 0 0 ipsec0
192.168.30.0 192.168.3.2 255.255.255.0 UG 40 0 0 ipsec0
10.17.0.0 192.168.3.2 255.255.0.0 UG 40 0 0 eth1
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:07 CEST