From: Keith Morse (kgmorse_at_mpcu.com)
Date: Thu Dec 19 2002 - 06:10:27 CET
On Wed, 18 Dec 2002, Sam Sgro wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On Wed, 18 Dec 2002, Keith Morse wrote:
>
> >
> > when setting up a simple vpn, the ipsec.conf is below, I get the above in
> > /var/log/messages. Researching this in the freeswan documentation, I find
> > in http://www.freeswan.ca/docs/freeswan-1.98b/doc/trouble.html section 2.3
> > that the issue may be with firewall rules. My question is this, what if
> > there are no firewall rules in place? What would be an appropriate thing
> > to investigate then?
>
> Are you certain there are now firewall rules in place? Sometimes it's easy to
> overlook the default firewall installed with some distros. Use the ipsec barf
> command to give you a complete overview of your iptables/ipchains setup. It's
> a fairly good summary of all the info needed to debug an ipsec connection -
> you'll do better posting that output to the web, or to the list, for us to
> examine.
Yes, I'm certain no rules are in place. I've verified with a "iptables
-nL".
> After issuing "ipsec auto --up mpcu-bell" you're not getting past
> STATE_MAIN_I1, check the logs to make certain no initiation request is
> received on the peer.
>
> If no initiation request is being received, something must be confounding
> the packet flow, firewall rules or no. Use "tcpdump" to trace the packet flow,
> and diagnose how far the packets get before being discarded. Remember to check
> both the ethN and ipsecN interfaces.
>
> > ipsec.conf for each side (same conf file)
> >
> > conn mpcu-bell
> > authby=secret
> > left=192.168.1.1
> > leftsubnet=10.1.1.0/24
> > right=192.168.1.11
> > rightsubnet=192.168.3.0/26
> > auto=route
>
> Can you explain why you are using "auto=route" as opposed to "auto=add"? It's
> designed to create a "%trap" route for the peer, causing the packets to be
> dropped instead of transmitted.
Inexperience. I'll change that.
>
> One side should have "auto=start", at the very least, to ensure that one end
> attempts to negotiate the tunnel at FreeS/WAN start. Otherwise, you'll have to
> manually bring up the connection each time - and the use of "auto=route"
> implies you only wish secure traffic between the two 'nets. You may as well
> negotiate your tunnel at boot.
>
Thanks for the quick response.
> - --
> Sam Sgro
> sam_at_freeswan.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> Comment: For the matching public key, finger the Reply-To: address.
>
> iQCVAwUBPgE7i0OSC4btEQUtAQFANAP/VZhwngvrFgFi8jbyqvxyQfb6CFZQxzum
> JaQC5QleKJH9siVDPfhf+P1AoNftyJUWLtt7Cb+5TcfSxHGS69WbXyLO5vhSGctw
> XtCil+b4mufN5SKwYZEDhng/yq2Z4r1EJMjUaO3UitTenELgO7T+txuktrGRU/ws
> B4LE2uocEJM=
> =S1DD
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Dec 20 2002 - 05:21:09 CET