RE: [Users] confused! Help!

From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Oct 30 2002 - 22:13:11 CET

• Next message: Denny Figuerres: "[Users] Please Help"
• Previous message: Sam Sgro: "Re: [Users] confused! Help!"
• In reply to: Denny Figuerres: "RE: [Users] confused! Help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 30 Oct 2002, Denny Figuerres wrote:

> Ok I'll try changing the road-warrior to a new subnet range away from .1 and
> .2 ( both used at office side)

Hold off on that for a moment.
 
> Firewall: yes all the IPSEC and VPN related ports and protocols are open
> Btw: I am using FirewallBuilder from sourceforge and it ROCKS!!! Very easy
> to use!
> IP Tables firewall
> Both sides are Red Hat 7.3 Kernel 2.4.18-3
>
> Rp_filter == tell me more?
> I see a message but am not sure what to do about that??

Here's one explanation of the why of it:

http://lists.freeswan.org/pipermail/briefs/2002q2/000057.html

Your safest approach is to turn it off (ie "echo 0 >
/proc/sys/net/ipv4/conf/blah/rp_filter") for the ipsec interface and the
public interface ipsec is bound to on both machines.

> One big ?? what do I need to do to assign an address for the road-warrior
> on the inside LAN ??
> Where does that part happen / get done ??

Wow, you do leave the best parts of your setup out 'til the last minute. :)

How's this: before you go and renumber the subnets, try the connection with
the 192.168.1.101/32 address, or some other address you know isn't used on the
remote side. See what the result is. You may need to fiddle with routing on
both ends of the connection to make it work. Perhaps others on the list can
help you more with this.

Alternatively, you can look into dhcp-over-ipsec, which is an option included
in the x.509 patch (see http://www.strongsec.com/freeswan/ ). You may also
wish to consider compiling SuperFreeS/WAN, which includes NAT traversal and
the x.509 patch. It's available at http://www.freeswan.ca .

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCUAwUBPcBLaUOSC4btEQUtAQFSKAP44hp23vdyxyArDp5+HSGvbRgWvAWMwIil
dpKLuvi6Gy6+wUZwMtyiovkPZFaazOUPAXI60UJpAdCOfXHAFjccmwKxlqCa7rmw
w7Shv9elHOaVCRDyfpnplkjocMngSwdVTC06+jSWQOnZwnamObSgfWBqHvTmE0Kc
rKB6E6VHQw==
=74TC
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Denny Figuerres: "[Users] Please Help"
• Previous message: Sam Sgro: "Re: [Users] confused! Help!"
• In reply to: Denny Figuerres: "RE: [Users] confused! Help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET