* Wolfgang Schulz (Home) wrote on Sun, Aug 11, 2002 at 22:54 +0200:
Von: Steffen Dettmer [mailto:steffen@dett.de] [at this ident level]
* Wolfgang Schulz: I'm using SuSE 7.0 (with FreeS/WAN 1.4) on a firewall gateway and SafeNet/Softremote for a WIN2000 machine and want to configure a road warrior VPN. The road warriod should connect to a maskeraded net (10.96.1.64/26) behind the firewall. The problem which makes me cracy is the following: I can establish an SA - there is a tunnel between the WIN2000 machine and the firewall. I can ping from the road warrior PC to the internal address of the firewall (10.96.1.102) but I can't ping or make a connection to any other machine in that subnet.
I can only ping the internal interface of the firewall (10.96.1.102) but no other address of this subnet. But also with 10.96.1.102 there is something not correct because I can't establish a tcp connection e.g. to port 22 (where sshd is listening).
strange, what tells tcpdump?
It is my intention to configure the other VPN connection on the same box but it is not done at the moment. I only wanted to emphasize with this statement that the firewall rules should be ok.
For testing, it's just more simple to turn it off, just to avoid self-foot-shootings :)
With established connection I get (I hope I have the first line correctly in my mind because I can't currently establisg a connection becasue I'm at home): fw:~ # netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface xxx.xxx.xxx.xxx 213.30.70.233 255.255.255.0 U 0 0 0 ipsec0
xxx is the road warrior IP? Looks good - but the mask is wrong, isn't it? A ping -I 10.96.1.myip 10.96.1.12 works also? TCP dump ok?
I searched in a lot of archives today and found a lot of questions where the problems sound similar to me,
At least I think, there are many problems that sound similar :)
As I stated in my first email: If I start a ping from an internal machine (e.g. 10.96.1.116) I see with tcpdump at the ipsec0 interface that there is an ICMP packet sent out and there is also an answer arriving. But this answer is not forwarded to the internal interface (eth0).
The internal PING should be forwarded back to internal?! If you ping from internal to the road warrior, you see it on eth0 (intern), ipsec0 and on eth1 (external, but as proto 50 packet here)? But no response or what?
I really don't know anymore what to do!
use tcpdump a little :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.