From: Stefan Nilsen [mailto:stefan.nilsen@millnet.se] Sent: Wednesday, July 03, 2002 7:17 PM

...

...

---------------- conn xpfwlsn-xpfwnsn left=193.193.193.200 leftsubnet=192.168.1.0/24 leftnexthop=193.193.193.193 right=194.194.194.200 rightsubnet=192.168.3.0/24 rightnexthop=194.194.194.194 auto=start

Perhaps its not a good idea to set auto=start on both gw. One should have 'start', the other one 'add'.

Maybe you could post your ipsec.conf and settings in SuSEfirewall2? Please...

ok here they are: my settings in SuSEfirewall2 are the same as you are using. And its correct not to use '$FW_DEV_EXT' in FW_MASQ_DEV but only your external interface. Otherwise all traffic on ipsec will get masqueraded before it arrives at FreeS/WAN and that doesn't work. ipsec.conf right (static IP): config setup interfaces=%defaultroute plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 right=ext_IP_of_Right rightid=ext_IP_of_Right rightsubnet=192.168.100.0/24 rightnexthop=def_gw_of_right # connection for Andreas Marbet home conn amahome auto=add authby=rsasig rightrsasigkey=0sAQN.... compress=no left=0.0.0.0 leftsubnet=192.168.1.0/24 leftid=@vpnama.home leftrsasigkey=0sAQOQ.... # NO leftnexthop here in my case ipsec.conf left (in my case =roadwarrior): config setup interfaces=%defaultroute plutoload=amahome plutostart=amahome uniqueids=yes conn %default keyingtries=0 authby=rsasig compress=no right=ext_IP_of_Right rightid=ext_IP_of_Right rightsubnet=192.168.100.0/24 rightnexthop=192.168.100.91 #=internal IP of right conn amahome auto=start authby=rsasig rightrsasigkey=0sAQN... left=%defaultroute leftsubnet=192.168.1.0/24 leftid=@vpnama.home leftrsasigkey=0sAQOQ... is it a bit more clear?

Jul 3 18:57:30 xpfwl ipsec__plutorun: 112 "xpfwlsn-xpfwnsn" #2: STATE_QUICK_I1: initiate Jul 3 18:57:30 xpfwl ipsec__plutorun: 004 "xpfwlsn-xpfwnsn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwl-xpfwnsn" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwl-xpfwnsn" #3: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl ipsec__plutorun: 112 "xpfwl-xpfwnsn" #3: STATE_QUICK_I1: initiate Jul 3 18:57:30 xpfwl ipsec__plutorun: 004 "xpfwl-xpfwnsn" #3: STATE_QUICK_I2: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwlsn-xpfwn" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwlsn-xpfwn" #4: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl ipsec__plutorun: 112 "xpfwlsn-xpfwn" #4: STATE_QUICK_I1: initiate Jul 3 18:57:30 xpfwl ipsec__plutorun: 004 "xpfwlsn-xpfwn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established

I assume this is going on and on and on.. but it looks good, you're very close.

...

Don't know if IP-Protocol 51 is needed as well?

Here it says that 51 is only needed if I use packet level authentication. Typical case is to use 50. I added it anyway, but it did not make any difference.

you are right, I just tried it myself

...

Jul 3 14:31:42 xpfwl kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=194.194.194.200 DST=192.168.1.10 LEN=84 TOS=0x00

Why does it arrive on ipsec0, should be eth0. Taking the wrong tunnel?

I think it is correct for it arrive on ipsec0 (in the tunnel), and later delivered to the machine on the subnet using eth1. But for some reason

SuSEfirewall2 does not want to deliver.

Maybe there is a simple addition I can make to enable the route after

an official IP shouldn't arrive on ipsec, it arrives on ethx even if it carries encrypted data which is then passed over to ipsec the

SuSEfirewall2 is loaded?

what does 'ipsec eroute' or 'route' tell you after starting ipsec on both ends? skol and good night, Andreas