RE: [Users] Newbie to Freeswan

From: Kevin Wittfoth (Kevin_at_shortstravel.com)
Date: Tue Nov 12 2002 - 00:03:25 CET

• Next message: Ken Bantoft: "Re: [Users] Not sure what error message means..."
• Previous message: Thomas Backlund: "[Users] Fw: SSH Sentinel 1.4 and Freeswan 1.98b .."
• Maybe in reply to: Kevin Wittfoth: "[Users] Newbie to Freeswan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yep, that cleared the air for me. I have created separate tunnels for each
remote network that I want the remote office to have access to. It was a
routing problem at the firewall. It did not know how to route back to the
remote office since the gateway was internal to the firewall. I added a
couple of "route add" statements to the firewall, adjusted the firewall
rules for the new subnet and it took off working. Thanks to all for your
suggestions! I appreciate it tremendously!

-----Original Message-----
From: Sam Sgro [mailto:sam_at_freeswan.org]
Sent: Sunday, November 10, 2002 3:11 AM
To: Kevin Wittfoth
Cc: 'users_at_lists.freeswan.org'
Subject: Re: [Users] Newbie to Freeswan

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 8 Nov 2002, Kevin Wittfoth wrote:

> I have a routing problem with Freeswan. I have a remote office
> connected to the internet via cable connection. I have created a
> tunnel to the main office. I can pass traffic from the remote LAN to
> the main office LAN without any problems. I now want to route a
> certain network address space from the remote office to that main
> office and then through our firewall to the internet.

"route to the internet". Are these all public addresses? To restate: You
want to alter the routing table, such that packets destined for this
public-IP subnet should be handled by the main office gateway, which would
hand it to the remote office via the IPSec tunnel.

> When doing a tcpdump of the ipsec interface, I get this response,
> "icmp: time exceeded in-transit [tos 0xc0]" and "udp 12 [ttl 1]".
> What's udp 12? That port is not assigned to anything that I know of or
> maybe I am misinterpreting

Actually, I don't believe that represents the the port number; it's the
number
of bytes of user data contained in the UDP datagram.

My belief: the packet is being thrown away because the ttl will decriment to
"0", once it passes the FreeS/WAN machine. This is standard behavior;
routers won't pass a packet with a TTL of 1 or 0; the packets are dropped,
and an ICMP "time exceeded" message back to the originating host. (This is
actually the way traceroute works, FYI.)

It sounds as if you've got a fundamental routing problem with how you've
chosen to route traffic to the remote network, if that helps.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPc4ioUOSC4btEQUtAQFMWAP/bHMsg3jFVpq+seCLgsDQsEd7cl1yIja+
dVbKHDye/1uYMnXzo6kSD8k6fc2wIpR8R5hSbi8lL7UnCDBVT2zYEfb2F1DA7gX2
ud6d+NvtOD9Zmx2XEME8vLe7dtt4aWgjDFxYvWgEd4JfjcokABBFLLJuzymH9wc8
3f9zIT8I20o=
=tX4S
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "Re: [Users] Not sure what error message means..."
• Previous message: Thomas Backlund: "[Users] Fw: SSH Sentinel 1.4 and Freeswan 1.98b .."
• Maybe in reply to: Kevin Wittfoth: "[Users] Newbie to Freeswan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Tue Nov 12 2002 - 05:20:38 CET