Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] >I try meanwhile for two weeks to successfully connect AND ping and connect
  • From: Michael Boettjer <michael@xxxxxxxxxxxx>
  • Date: Mon, 09 Sep 2002 17:16:13 +0200
  • Message-id: <5.1.0.14.2.20020909171607.02a25ba8@xxxxxxxxxxxxxxxxxxxxxxxx>
At 15:22 09.09.2002 +0200, you wrote:
>I try meanwhile for two weeks to successfully connect AND ping and connect
>to Server in the subnet 192.168.50 or .55 (behind the 2nd Linux-Router).
>The VPN-Tunnel is established also (afaik), but nothing else happens. I
>can't reach on server. no Server in DMZ and no server in the inner-LAN
>behind the second Linux-Router. Also There are no logged drops or rejects
>from the firewall.

Maybe the answers is simple. According to your logs and your description
everything seems to work fine.

In the docs of freeswan you can read, that you CAN NOT ping into the
VPN or to the other VPN-gateway from the gateway-box itself as long as you
dont take connection type tunnel!
So try to ping from a box in the VPN-subnet to a box in the other subnet.

Yes i know that i can't ping the firewall using freeswan directly.
but a ping from the roadwarrior to a server in one of the subnets behind the firewall have to function, or not?
but also a "net use" from the roadwarrior to the samba-service of the inner-router don't goes, too.

i think, the problem is the SuSEfirewall. I've read, that maskerading for the vpn-client have to switch off, but how i can do that?
in my /etc/rc.config.d/firewall2.rc.config the Parameter FW_MASQ_NETS="192.168.0.0/16" contains all Subnets. How can i switch off the maskerading for the connection Server <--> Roadwarrior only?

Thanks for any hints...
Michael

By the way - here is my ipsec.conf from the free/SWAN-Gateway:

config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=no

conn %default
keyingtries=1
type=tunnel

conn warriors
left=0.0.0.0
leftsubnet=
leftnexthop=
right=195.91.41.11
rightsubnet=192.168.0.0/16
rightnexthop=195.91.41.254
rightupdown=/usr/lib/ipsec/_updown_custom
compress=yes
keyexchange=ike
pfs=yes
authby=secret
auto=add


< Previous Next >
This Thread
  • No further messages