Eric Anderson writes:
> I am still reading through docs, but after 6 hours have still not been
> able to ping across the vpn.
That doesn't really give us a lot to go on. There are 6 interfaces (3
on each box) involved with getting a ping from skip's subnet to
gandolf's subnet. It would have been be helpful if you could have
said which interfaces the packet appeared on or better yet, included a
tcpdump on all the interfaces. At it happens, that probably won't be
necessary ...
> I have successfully established a connection between the two, i just
> can't seem to get packets to move across the encrypted tunnel.
Your spi and eroutes show that you have what appears to be a good
192.168.2.0/24 <-> 192.168.0.0/24 IPsec tunnel. However, the netstat
-rf output on gandolf doesn't have a route for 192.168.2.0/24 -> ipsec0.
Similarly skip doesn't have a 192.168.0.0/24 -> ipsec0 route. Without
these packets will not go over the IPsec tunnel. If you look at the
the /var/log/secure output for skip, it includes :-
> Jul 16 11:02:40 fw pluto[702]: "skip-gandolf" #2: route-client output: /usr/local/lib/ipsec/_updown: `route add -net 192.168.0.0 netmask 255.255.255.0 dev ipsec0 gw 66.148.150.149' failed
> Jul 16 11:02:40 fw pluto[702]: "skip-gandolf" #2: route-client output: /usr/local/lib/ipsec/_updown: (incorrect or missing nexthop setting??)
> Jul 16 11:02:40 fw pluto[702]: "skip-gandolf" #2: route-client command exited with status 7
> Jul 16 11:02:49 fw pluto[702]: "skip-gandolf" #2: route-client output: SIOCADDRT: Network is unreachable
Which clearly indicates that it could not setup the requested route.
The reason it is failing is that 66.148.150.149 is not the nexthop for
skip, 66.148.156.149 is i.e. you made a typo when defining leftnexthop
in your ipsec.conf on skip :-<
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:23 CEST