hi there i wanted to establish a freeswan tunnel and i've tried everything suggested in documentation but it won't work... (boring question, i know) both boxes are masqued 'firewalls' running ipchains and suse6.3. each box has rules to accept the other's private and official addresses as 'trusted' (suse firewall script). ipsec seems to be set up correctly, turning on debug does not make failure output and the route is correct, too. traceroute stops at the ipsec0 device. if i ping the other's private net packets will only reach ipsec0. does anybody know what i could do? does anybody know tools to check if routers inbetween drop ipsec packets? Bjoern
Did you try to ping/traceroute the gateways? Remember, the emphasis on VPN is the "N". You'll have to use machines _behind_ the gateways. If you want to to secure traffic between gateways or between net-gateway, you'll have to set up special connections. BTW: You can use ifconfig to check where packets are dropped if you need to. (See ipsec-FAQ for detailed description) Greets Torsten Bjoern Chyba wrote:
traceroute stops at the ipsec0 device. if i ping the other's private net packets will only reach ipsec0. does anybody know what i could do? does anybody know tools to check if routers inbetween drop ipsec packets?
* Bjoern Chyba wrote on Mon, May 22, 2000 at 14:54 +0200:
each box has rules to accept the other's private and official addresses as 'trusted' (suse firewall script).
Don't know what SuSE-Scripts allow in that case. You'll need UDP port 500 both sides, and at least ip proto 50.
ipsec seems to be set up correctly, turning on debug does not make failure output and the route is correct, too.
Did you use manual keying first? Some details could be helpful :) Do you see proto-50 packets useing a traffic sniffer betweet the hosts? ipsec look has in and out entries?
if i ping the other's private net packets will only reach ipsec0.
You mean, the gateways can ping each other but not the networks? Did you fixed the masq rules in a way, that ipsec packets become _not_ maqueraded?
does anybody know tools to check
tcpdump, etherreal to take a look if somethings is running :)
if routers inbetween drop ipsec packets?
Use tcpdump -i <dev>. The IPSec packets should have the IPs of the gateways. You can watch port500<->port500 packets, UDP. They're needed for that SA. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
Bjoern Chyba
-
Steffen Dettmer
-
Torsten Behle