From: Sam Sgro (sam_at_freeswan.org)
Date: Mon Jan 06 2003 - 22:37:41 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 6 Jan 2003, Wil McGilvery wrote:
> I am trying to setup a VPN between my house and work. I have Mandrake
> Linux running Shorewall as my firewall and Freeswan 1.98b at work and a
> Linksys BEFSX41 Router at home.
>
> I configured Shorewall for a VPN tunnel from my house and setup Freeswan
> and the linksys router using an article I found at Freeswan.ca
>
> When I initiate a connection from the linksys router, I get a message in
> the Linksys log file that a successful connection was made. I have checked
> the log files on the linux box and cannot find any errors. My problem is
> that I cannot ping from either subnet across the VPN to the other side.
>
> I read that IPsec does not work well with NAT and that ip forwarding
> should be enabled so I did this by editing /etc/sysconfig/network
> (FORWARD_IPV4="yes") and in the sysctl.conf (net.ipv4_forward=1)
What do the logs report? Check /var/log/messages and /var/log/secure, or use
the handy "ipsec barf" for a FreeS/WAN-oriented summary.
How is your rp_filter doing? Is it set to "0" on the Mandrake box's external
interface?
Could the firewall itself causing a problem? Have you allowed ESP (protocol
50) traffic? You can check to see if the firewall is intercepting these
packets by a simple test - do a diff of "iptables -L -n -v" as you attempt to
ping cross the network. Does the Linksys box required any modifications of its
firewall ruleset to allow this traffic?
Have you examined the packet flow via tcpdump - are packets from one gateway
reaching the other? Are packets flowing one way between the two subnets? This
is a powerful tool for debugging ipsec connections.
Are you properly testing this by *only* attempting to ping machines on one
subnet to the other?
After you've investigated these questions, post the output of the "ipsec barf"
command - anonymized if you so wish - and we can see if there are, in fact,
errors you may be missing. Know that the "xxx" anonymization does cause
problems - I'd rather you change a few of the IP numbers, but keep the
networks similar between changes (so we can catch routing issues).
> conn Orangeville
> right=xxx.xxx.xxx.xxx
> rightsubnet=192.168.0.1/24
That is not a valid network description; 192.168.0.0/24 is.
> rightnexthop=xxx.xxx.xxx.1
> left=xxx.xxx.xxx.xxx
> leftsubnet=192.168.1.0/24
> leftnexthop=xxx.xxx.xxx.1
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> authby=secret
> auto=add
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPhn3J0OSC4btEQUtAQEx1AQAgUKC5unF1ko1pOhi4LtUyZQtoSM/OKm3
kXT8avHimGMXA0voatCQDB44jJWZla9bIQcdbUTy8qdsYNBnDE6htOr/p6949R+J
y8AEcHsd0y0ob0hgNOo98H75hYbZ/Q13lZWqcC+pDvJ4tbcX5ck2g+TD4iZYIJZE
I5py4cgZlEo=
=RWgH
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Jan 07 2003 - 05:21:07 CET