Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] freeSWAN
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Tue, 23 May 2000 00:01:33 +0200
  • Message-id: <20000523000132.D3946@xxxxxxxxx>
* Bjoern Chyba wrote on Mon, May 22, 2000 at 14:54 +0200:
> each box has rules to accept the other's private and official addresses
> as 'trusted' (suse firewall script).

Don't know what SuSE-Scripts allow in that case. You'll need UDP
port 500 both sides, and at least ip proto 50.

> ipsec seems to be set up correctly, turning on debug
> does not make failure output and the route is correct, too.

Did you use manual keying first? Some details could be helpful :)
Do you see proto-50 packets useing a traffic sniffer betweet the
hosts? ipsec look has in and out entries?

> if i ping the other's private net packets will
> only reach ipsec0.

You mean, the gateways can ping each other but not the networks?
Did you fixed the masq rules in a way, that ipsec packets become
_not_ maqueraded?

> does anybody know tools to check

tcpdump, etherreal to take a look if somethings is running :)

> if routers inbetween drop ipsec packets?

Use tcpdump -i <dev>. The IPSec packets should have the IPs of
the gateways. You can watch port500<->port500 packets, UDP.
They're needed for that SA.

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >
References