From: Corey Rogers (corey_at_wamcodm.com)
Date: Wed Oct 30 2002 - 19:05:12 CET
I've managed to overcome some pass problems with freeswan and
netscreens. I am now able to tunnel at will since I understand what was
lacking from the netscreen configs. Netscreen to netscreen tunnels are
usually creates with the "inside any outsided any" parameters
(0.0.0.0/0.0.0.0). To tunnel to different subnets however a trusted
address must be created on the netscreen to that subnet. Subsequently a
VPN must be configured to use that subnet as well as a policy.
Also key things to remember in the freeswan config (ipsec.conf)
pfs=no
On the netscreen in the 2nd phase challenge (autokey-ike) should use a
challenge containing nopfs such as ;
nopfs-esp-3des-sha
The netscreen should also be set to Main mode and NOT aggresive mode in
the VPN config section.
Once all of these criteria are met a tunnel is easily set up from the
linux box to the trusted side of the netscreen. This can be tested by
pinging the trusted side of the netscreen (ping -p ffff 10.10.1.1) and
doing a tcpdump on a machine between the 2 devices. If it traffic is not
being encrypted the "ffff" will show up in a tcpdump ran with the 'x'
switch. Also traffic which carry the "ip-proto-50" is encrypted and
encapsulated.
As simple and as obvious as this may seem it took quite a while to
really comprehend.
Have fun, and thanks for a great program.
-- Corey Rogers Junior System Administrator Wamco Technology Group Ltd (Barbados) #3 Mahogany Court, Wildey, St. Michael Phone: (246)437-3154 FAX: (246)228-4319 There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself .... ----- Johann Sebastian Bach -----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET