Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] IPSEC routing trouble

From: Micah Silverman (mps_at_mpowerit.com)
Date: Tue Jul 16 2002 - 20:26:34 CEST

Next message: Jason A. Pattie: "Re: [Users] MS L2TP/IPSec VPN client configuration issue?"
Previous message: Roland B: "[Users] ONLY AH , without ESP ?"
In reply to: Stephen J Bevan: "[Users] IPSEC routing trouble"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bingo!

I needed to add:

leftsubnet=192.168.1.0/24

and the pinging works as expected.

I even found the spot in the manual where it describes the problem I was having:

leftsubnet
Addresses for the machines which left is protecting.
· Often something like 101.202.203.0/24 to indicate that a subnet resides behind left. Often this subnet will be directly connected to left, but this not necessary. The only requirement is that left must be able to route to it.
· If you omit the leftsubnet line, then left is both the security gateway and the only client on that end.

It seems to me that in the wireless configuration I am envisioning, that I would want to set up another tunnel as I had originally done that just protects traffic between the client and the gateway. Even if the gateway firewall rules ultimately drop the incoming packet over the tunnel, the goal is to fully protect *all* wireless traffic.

Thanks so much for your help with this!

At 10:46 AM 7/16/2002 -0700, Stephen J Bevan wrote:
>Stephen J Bevan writes:
> > Which box are you pinging from? You show an example from
> > virtLinuxIPSEC -> virtLinux but in your diagram you don't list any
> > ipsecX interface for virtLinuxIPSEC. You do list one on virtLinux but
> > from the diagram it looks like you have it attached to the wrong
> > interface ("looks like" because Eudora, your mail client, wrapped some
> > lines your diagram and I'm not certain I unwrapped them correctly).
> > You should have ipsec0 attached to eth1 since that is the external
> > interface for virtLinux.
>
>Micah sent me an unmangled version of the diagram and from that it is
>clear that ipsec0=eth1 is not the solution. It appears that the
>problem is 10.0.0.1 is not listed as protecting 192.168.1.0/24 and so
>while 10.0.0.2->10.0.0.2 is protected, 10.0.0.2->192.168.1.0/24 goes
>out in the clear. I suggested making at least 192.168.1.0/24 a
>protected subnet.

Micah Silverman, CISSP
M*Power Internet Services
45 Thorney Ave. * Huntington Station, New York 11746
http://www.MPowerIT.com
mps_at_MPowerIT.com
631.367.6399 * Cell 516.770.8555 * Pager 800.782.9705
Alpha Pager airmicah_at_MPowerIT.com

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Jason A. Pattie: "Re: [Users] MS L2TP/IPSec VPN client configuration issue?"
Previous message: Roland B: "[Users] ONLY AH , without ESP ?"
In reply to: Stephen J Bevan: "[Users] IPSEC routing trouble"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:23 CEST