RE: [Users] FreeSWAN+Netscreen interoperability Question. It works... but how ?

From: Jordan Share (iso9_at_jwiz.org)
Date: Fri Oct 18 2002 - 01:37:20 CEST

• Next message: John A. Sullivan III: "Re: [Users] 2 dynamic ips symetric update"
• Previous message: Steve Lee: "[Users] net to net vpn question"
• Next in thread: Corey Rogers: "RE: [Users] FreeSWAN+Netscreen interoperability Question. It works... but how ?"
• Reply: Corey Rogers: "RE: [Users] FreeSWAN+Netscreen interoperability Question. It works... but how ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Corey Rogers [mailto:corey_at_wamcodm.com]
> Sent: Wednesday, October 16, 2002 8:03 PM
> To: Jordan Share
> Cc: users_at_lists.freeswan.org
> Subject: RE: [Users] FreeSWAN+Netscreen interoperability Question. It
> works... but how ?
>
>
> On Wed, 2002-10-16 at 17:18, Jordan Share wrote:
> > What happens when you do try to set a specific subnet behind
> the Netscreen?
> >
> > Jordan
> >
> >
>
>
> In short, nothing. It fails at phase2 with the message:
>
> #6: max number of retransmissions (2) reached STATE_QUICK_I1. No
> acceptable response to our first Quick Mode message: perhaps peer
> likes no proposal
>
> When I use a subnet of 0.0.0.0/0 it works. But not when I use the subnet
> of the netscreens trusted side which in this case would be
> 10.201.11.0/24. I'm taking a guess that it requires the subnet to
> correspond to one of the addresses listed in the address table on the
> trusted side. However this hasn't worked as yet but still I have further
> to go.

Well, what do the logs on the Netscreen say?

I threw this together, based on an old post that I made:
http://debby.jwiz.org/~jshare/netscreen-and-freeswan.html

> Do you know how freeswan is able to route traffic through the correct
> tunnel if for example all the subnets at multiple remote locations are
> identical .. ie. for example 192.168.10.0/24?

I am pretty sure that you can’t have 2 routes to 2 subnets that are the
different, but the numbered the same. Generally speaking, even, regardless
of whether freeswan is involved. How would you know where to send a packet
to? If a ping starts on one machine, destined for 192.168.10.1, how can you
possibly know which 192.168.10.1 it should go to, if you have more than one?

Or am I completely misunderstanding your comment?

Jordan

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: John A. Sullivan III: "Re: [Users] 2 dynamic ips symetric update"
• Previous message: Steve Lee: "[Users] net to net vpn question"
• Next in thread: Corey Rogers: "RE: [Users] FreeSWAN+Netscreen interoperability Question. It works... but how ?"
• Reply: Corey Rogers: "RE: [Users] FreeSWAN+Netscreen interoperability Question. It works... but how ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sat Oct 19 2002 - 05:20:27 CEST