Re: [Users] shunt SA of Drop or no eroute.

From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Oct 30 2002 - 21:47:11 CET

• Next message: André Dezoti: "[Users] STATE_QUICK_I1: internal error"
• Previous message: Sam Sgro: "Re: [Users] REDHAT compil Freeswan"
• In reply to: Lars Deutsch: "[Users] shunt SA of Drop or no eroute."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 30 Oct 2002, Lars Deutsch wrote:

> Hello experts out there,
>
> I am new to ipsec and thought I'd start easy by conencting two Suse 8.0
> machines (free s/wan 1.95) so that my home network (10.1.10.0/24 NAT) can
> talk to the machines at work (10.1.2.0/24). A simple subnet to subnet
> tunnel, it seems.
> Configuring ipsec using a shared secret was easy enough and the tunnel is up
> (SA establisehd msg from whack status on both sides) Somehow though the
> packets are not routed into the ipsec0 device. Its trying to find an eroute
> and can't, resulting in the msg above from the topic. (ext. gw ip A -->
> private address behind GW B)

Aha! Have you tried the ping from one of the machines behind your network?
I'll bet *that* works. You've made a subnet-to-subnet tunnel, you see; you
haven't made a tunnel from your gateway to the 10.1.2.0/24 subnet. FreeS/WAN
is picky about that.

www.freeswan.ca/code/old/freeswan-1.98b/doc/adv_config.html#multitunnel

More evidence from this:

> When I try a single host tunnel by leaving out the 10.1.10.0 subnet I can
> send packets through the tunnel. (checked it with tcpdump at the target
> machine in the private subnet behind GW B)

Test from a machine behind your network, and see if that works. You might want
to make the 3 extra tunnels with some quick copy/paste work too.

Barring that. Post a barf, if you could, with those error messages; ideally to
a website, if you can.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPcBFUEOSC4btEQUtAQFJvwQAoC6hf4yXzAeNLSBtXyZwVkXcAeM7nRce
Ki5BEvH9BTWlLui28czmPOm9VwDcmTyu9Jh+Z/SQOyHj+aRFWzygGanOGrfQpupm
fELt163B3Aq4xS+XQRXME4EJcwHjlKoUAdAiNO4Bjvx7linwHvUC53j/0FpRgcfR
U4Ca+IiCXHA=
=Vsub
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: André Dezoti: "[Users] STATE_QUICK_I1: internal error"
• Previous message: Sam Sgro: "Re: [Users] REDHAT compil Freeswan"
• In reply to: Lars Deutsch: "[Users] shunt SA of Drop or no eroute."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET