At 16:02 09.09.2002 +0200, you wrote:
The Subnet between inner-router and firewall has the range 192.168.51.0/24. ... Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 195.90.31.254 0.0.0.0 UG 40 0 0 eth0 193.159.64.92 195.91.41.254 255.255.255.255 UGH 40 0 0 ipsec0 195.91.41.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 195.91.41.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0
I can't find a route to the "inner router" in the subnet 192.168.51.0/24 given above. Can you ping the hosts in 192.168.0.0/16 from the firewall? If not, then it won't possible through the VPN.
Mmh, here is my complete Routing-Table of the Firewall: /root >route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.50.99 192.168.51.99 255.255.255.255 UGH 0 0 0 eth1 62.157.67.137 195.91.41.254 255.255.255.255 UGH 0 0 0 ipsec0 192.168.52.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 195.91.41.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 195.91.41.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lo 0.0.0.0 195.91.41.254 0.0.0.0 UG 0 0 0 eth0 First i want to (to the beginning) ping or "net use" the inner router (192.168.51.99) only. this functions. i can ping the router or telnet on port 139 from the firewall without problems. but not from the roadwarrior.
up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT Did you configure the left/right-protoports in ipsec.conf? Maybe you can post your ipsec.conf.
Protoports? Here is the ipsec.conf from the firewall: config setup interfaces="ipsec0=eth0" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=no conn %default keyingtries=1 type=tunnel conn warriors left=0.0.0.0 leftsubnet= leftnexthop= right=195.91.41.11 rightsubnet=192.168.0.0/16 rightnexthop=195.91.41.254 rightupdown=/usr/lib/ipsec/_updown_custom compress=yes keyexchange=ike pfs=yes authby=secret auto=add As client i'm using a win2k-Notebook and the ipsec-Implementation of it. The Tunnel-Configuration is read from this ipsec.conf-File: conn %default dial=vpn conn warriors left=%any right=195.91.41.11 rightsubnet=192.168.0.0/16 presharedkey=... network=ras auto=start pfs=yes
`iptables -L -nv` shows the packet counter of the rules. You can check, if the rules are hit.
tcpdump is always a big help to see, if packets leave or arrive at your firewall.
it's not installed for security reasons... ;-)) i will do that next. any ideas? Thank you very much, Michael