-----Original Message----- From: Robert Klein [mailto:RoKlein@roklein.de] Sent: Wednesday, July 03, 2002 9:56 PM
On leftgateway's ipsec.conf change the rightnexthopvalue to the internal IP of rightgateway and vice versa.
I don't think that's the way it's supposed to be...
But I solved my problems exactly that way. If anybody has a better solution, please tell me.
To manage to fulfill #2 i also added the following tunnels in ipsec.conf: ----------------- conn xpfwlsn-xpfwn # Subnet to gateway
conn xpfwl-xpfwnsn # Gateway to subnet
Is it really neccesary to add these connections as well? I think FreeS/WAN will be confused because it doesn't know how to differ the incoming connection requests. Could you perhaps post the log-entries when starting FreeS/WAN?
Yes, it is neccesary, for the gateways to reach the opposite subnet.
But the gw (with only one tunnel between the subnets) has its routing table that tells it how to route eg packets to the remote subnet (via ipsec-interface). The packet will arrive there and be passed over to ipsec that decrypts the packet and again passes it over to the internal interface. Isn't it correct that way? Of course gw to gw doesn't work via ipsec that way.
Jul 3 14:31:42 xpfwl kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=194.194.194.200 DST=192.168.1.10 LEN=84 TOS=0x00
Why does it arrive on ipsec0, should be eth0. Taking the wrong tunnel?
No. All traffic between the two networks should go through ipsec0. (Or else it wouldn't use frees/wan...)
but not traffic from an IP not belonging to the specified subnets, eg official IPs in that case. IRC only IPs of the two subnets should arrive on ipsecX. Prost, Andreas