Am Samstag, 18. Oktober 2003 07:00 schrieb Techno Ed:
Hi Markus!
Good news.... think I've accomplished the task. It was really a problem with routing (as suggested by Andreas)! This is a really long email.
-= The Solution =-
Seems that I forgot to create static routes on the client machines. To make things clearer, I'll give an exemple below... after that I'll write some things that may be useful to you (sorry if I wrote too much, I just prefer not to assume anything about your expertise). (...)
No problem, so do I But: your problem was the missing routing for the subnet on the other side, correct? My Problem: a left side subnet host can ping, telnet, ssh to a right side subnet host; and the right side subnet host answers correctly. But when right side tries to ping (telnet, ssh, nmap) left side - packets are dropped at the interface ipsec0. Because it works perfectly from one side to the other (with answers!) - routing can't be my problem, or am I missing something? Here are my config files: -------------------right side---------------------------------- # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes conn %default keyingtries=5 authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn VPN-Test left=x.x.x.x leftnexthop=x.x.x.y leftsubnet=192.168.89.0/24 leftupdown=/usr/lib/ipsec/_updown.x509 leftid="xxxxxxxxxxxxxxxxx" right=%defaultroute rightupdown=/usr/lib/ipsec/_updown.x509 rightsubnet=192.168.0.0/24 rightcert=Server@somewhere auto=start ---------------------------------------------------------- ------------------left-side----------------------------- # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes conn %default leftrsasigkey=%cert rightrsasigkey=%cert keyingtries=5 authby=rsasig conn VPN-Test left=x.x.x.x leftnexthop=x.x.x.y leftsubnet=192.168.89.0/24 leftcert=Server1@somewhere_else leftupdown=/usr/lib/ipsec/_updown.x509 right=%any rightnexthop=x.x.x.y rightsubnet=192.168.0.0/24 rightupdown=/usr/lib/ipsec/_updown.x509 auto=add ------------------------------------------------------ Thanks a lot!!! -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net