From: Maria Backlund (Maria.Backlund_at_kiconsulting.se)
Date: Wed Aug 21 2002 - 15:20:16 CEST
We're working on an IPsec tunnel and have discovered that we're missing a file that's said to exist to get IPsec to work. The file is /proc/net/ipsec_spinew and we wonder why we miss it, what it contains and how we can retrieve it?
To get the tunnel we type "ipsec auto --add <connectionname>" on both machines and then "ipsec auto --up <connectionname>" on one of them. We get the message that IIpsec is established. If we type "/usr/local/sbin/ipsec eroute" we get the output:
0 192.168.3.0/24 -> 192.168.2.0/24 => tun0x1008_at_192.168.1.10
Does it mean that the tunnel is up and working? If we try to ping from a node in subnet 3.0 to a node in subnet 2.0 then we get an error message in /var/log/messages saying something about "no eroute: dropping". Does this indicate that the tunnel is down or that it can't be located and used for some other reason?
Appreciate all the help we can get. Thanks alot!
Maria & Fredrik
-----Ursprungligt meddelande-----
Från: Mogens Valentin [mailto:monz_at_danbbs.dk]
Skickat: den 21 augusti 2002 14:35
Till: Maria Backlund
Kopia: users_at_lists.freeswan.org
Ämne: Re: [Users] IPsec SA established??
Maria Backlund wrote:
> We've generated keys at the left and at the right side and added them
> to the connection in ipsec.conf. When we use "ipsec auto --add
> <connectionname>" on both sides and then "ipsec auto --up
> <connectionname>" on one side we're told that several "STATE_MAIN..."
> are passed and finally that Ipsec SA is established. When we look in
> the /var/log/messages we see no signs of error messages, or perhaps we
> miss them due to our lack of knowledge...
If, on either side of a connection, you get something like:
...Pluto[659]: "H26-H8-net13" #2492: responding to Quick Mode
...Pluto[659]: "H26-H8-net13" #2492: IPsec SA established
then your tunnel is most likely working, and it's up to i.e. firewalling to allow relevant traffic. Read the docs on firewalling, especially faq.html and firewall.html, or grep the docs-dir for iptables/ipchains/firewall ..
> Anyway, when we try to ping between the two clients in our network
> they can't reach eachother :( The pinging works fine until the lign
> "IPsec SA > established" shows up. What's causing the ping problem?
What do you mean by 'the two clients'? Do you refer to actual clients _behind_ vpn-gateways, or the vpn-gateways themselves? You can't ping from one vpn-gw to another vpn-gw, U know..
-- Kind regards / venlig hilsen, Mogens Valentin, Mr DevIT Networking, Security, Server Setup http://www.mrdev.com mrdev_at_danbbs.dk Phone +45 32 525 878 Cell 51 227 668 _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Wed Aug 21 2002 - 19:20:15 CEST