From: Lars Deutsch (lars.deutsch_at_mytoys.de)
Date: Wed Oct 30 2002 - 18:51:00 CET
Hello experts out there,
I am new to ipsec and thought I'd start easy by conencting two Suse 8.0
machines (free s/wan 1.95) so that my home network (10.1.10.0/24 NAT) can
talk to the machines at work (10.1.2.0/24). A simple subnet to subnet
tunnel, it seems.
Configuring ipsec using a shared secret was easy enough and the tunnel is up
(SA establisehd msg from whack status on both sides) Somehow though the
packets are not routed into the ipsec0 device. Its trying to find an eroute
and can't, resulting in the msg above from the topic. (ext. gw ip A -->
private address behind GW B)
Configuration:
10.1.2.0/24--NAT FW--public IP GW A ..... public IP GW B--NAT
FW--10.1.10.0/24
When I try a single host tunnel by leaving out the 10.1.10.0 subnet I can
send packets through the tunnel. (checked it with tcpdump at the target
machine in the private subnet behind GW B)
So to my knowledge this rules out:
- rp_filter (set to 0 on native IF using IPSEC0 dev, being 1 on ipsec0 IF
however)
- firewall issues (The packets wouldn't arrive in single host tunnel mode if
the firewall at any side would filter packets out) ports 500 and prot. 50,51
open on both gateways and working fine. There are no 'dropped packet etc.'
messages on either side
The errormessage (shunt SA of Drop or no eroute) appears on BOTH sides
regardless wether I send a ping (or do a traceroute) from 10.1.2.x to
10.1.10.x or 10.1.10.x to 10.1.2.x.
The hardware of the two gatewaay machiens is (although intel based)
completely different. (diff. MB, CPU, RAM, HD etc.) The packets do never
leave the external IF of the GW in front of the subnet.
Any help would be greatly appreciated. I was bragging to my coworkers how
easy free s/wan setup is and now this :-(
Lars
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET