Re: [VF]Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)

From: James P. Kinney III (jkinney_at_localnetsolutions.com)
Date: Thu Dec 19 2002 - 06:57:11 CET

• Next message: Keith Morse: "Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)"
• Previous message: Sam Sgro: "Re: [Users] request"
• In reply to: Keith Morse: "Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)"
• Next in thread: Keith Morse: "Re: [VF]Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)"
• Reply: Keith Morse: "Re: [VF]Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

iptables -nL won't show the nat table. Or the mangle table. Only the
default filter table.

Try iptables -t nat -L -v
and iptables -t mangle -L -v

I found that my NAT code was failing me due a default of MASQUERADE
everything _after_ my inserted
iptables -t nat -I POSTROUTING -d ! ipsec+ -j MASQUERADE

On Thu, 2002-12-19 at 00:10, Keith Morse wrote:
> On Wed, 18 Dec 2002, Sam Sgro wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> >
> > On Wed, 18 Dec 2002, Keith Morse wrote:
> >
> > >
> > > when setting up a simple vpn, the ipsec.conf is below, I get the above in
> > > /var/log/messages. Researching this in the freeswan documentation, I find
> > > in http://www.freeswan.ca/docs/freeswan-1.98b/doc/trouble.html section 2.3
> > > that the issue may be with firewall rules. My question is this, what if
> > > there are no firewall rules in place? What would be an appropriate thing
> > > to investigate then?
> >
> > Are you certain there are now firewall rules in place? Sometimes it's easy to
> > overlook the default firewall installed with some distros. Use the ipsec barf
> > command to give you a complete overview of your iptables/ipchains setup. It's
> > a fairly good summary of all the info needed to debug an ipsec connection -
> > you'll do better posting that output to the web, or to the list, for us to
> > examine.
>
> Yes, I'm certain no rules are in place. I've verified with a "iptables
> -nL".
>
>
>
> > After issuing "ipsec auto --up mpcu-bell" you're not getting past
> > STATE_MAIN_I1, check the logs to make certain no initiation request is
> > received on the peer.
> >
> > If no initiation request is being received, something must be confounding
> > the packet flow, firewall rules or no. Use "tcpdump" to trace the packet flow,
> > and diagnose how far the packets get before being discarded. Remember to check
> > both the ethN and ipsecN interfaces.
> >
> > > ipsec.conf for each side (same conf file)
> > >
> > > conn mpcu-bell
> > > authby=secret
> > > left=192.168.1.1
> > > leftsubnet=10.1.1.0/24
> > > right=192.168.1.11
> > > rightsubnet=192.168.3.0/26
> > > auto=route
> >
> > Can you explain why you are using "auto=route" as opposed to "auto=add"? It's
> > designed to create a "%trap" route for the peer, causing the packets to be
> > dropped instead of transmitted.
>
>
> Inexperience. I'll change that.
>
> >
> > One side should have "auto=start", at the very least, to ensure that one end
> > attempts to negotiate the tunnel at FreeS/WAN start. Otherwise, you'll have to
> > manually bring up the connection each time - and the use of "auto=route"
> > implies you only wish secure traffic between the two 'nets. You may as well
> > negotiate your tunnel at boot.
> >
>
> Thanks for the quick response.
>
>
> > - --
> > Sam Sgro
> > sam_at_freeswan.org
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.3ia
> > Charset: noconv
> > Comment: For the matching public key, finger the Reply-To: address.
> >
> > iQCVAwUBPgE7i0OSC4btEQUtAQFANAP/VZhwngvrFgFi8jbyqvxyQfb6CFZQxzum
> > JaQC5QleKJH9siVDPfhf+P1AoNftyJUWLtt7Cb+5TcfSxHGS69WbXyLO5vhSGctw
> > XtCil+b4mufN5SKwYZEDhng/yq2Z4r1EJMjUaO3UitTenELgO7T+txuktrGRU/ws
> > B4LE2uocEJM=
> > =S1DD
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Users mailing list
> > Users_at_lists.freeswan.org
> > http://lists.freeswan.org/mailman/listinfo/users
> >
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
> _______________________________________________
> Ipsec-users mailing list
> Ipsec-users_at_tossell.net
> http://lists.tossell.net/lists/listinfo/ipsec-users

-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney_at_localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: Keith Morse: "Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)"
• Previous message: Sam Sgro: "Re: [Users] request"
• In reply to: Keith Morse: "Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)"
• Next in thread: Keith Morse: "Re: [VF]Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)"
• Reply: Keith Morse: "Re: [VF]Re: [Users] an interpretatation of STATE_MAIN_I1 (sent MI1, expecting MR1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Dec 20 2002 - 05:21:09 CET