[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] ipsec freeswan - connection... packets dropped ... [LONG]



Am Samstag, 18. Oktober 2003 07:00 schrieb Techno Ed:
> Hi Markus!
>
> Good news.... think I've accomplished the task. It was really a
> problem with routing (as suggested by Andreas)! This is a really long
> email.
>
> -= The Solution =-
>
> Seems that I forgot to create static routes on the client machines.
> To make things clearer, I'll give an exemple below... after that I'll
> write some things that may be useful to you (sorry if I wrote too
> much, I just prefer not to assume anything about your expertise).
(...)

No problem, so do I
But: your problem was the missing routing for the subnet on the other 
side, correct?
My Problem: a left side subnet host can ping, telnet, ssh to a right 
side subnet host; and the right side subnet host answers correctly. But 
when right side tries to ping (telnet, ssh, nmap) left side - packets 
are dropped at the interface ipsec0.
Because it works perfectly from one side to the other (with answers!) - 
routing can't be my problem, or am I missing something?

Here are my config files:
-------------------right side----------------------------------

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for 
lots.
        klipsdebug=none
        plutodebug=none
	# Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
conn %default
        keyingtries=5
        authby=rsasig
	leftrsasigkey=%cert
        rightrsasigkey=%cert
conn VPN-Test 
	left=x.x.x.x
	leftnexthop=x.x.x.y
	leftsubnet=192.168.89.0/24
	leftupdown=/usr/lib/ipsec/_updown.x509
	leftid="xxxxxxxxxxxxxxxxx"
	right=%defaultroute
	rightupdown=/usr/lib/ipsec/_updown.x509
	rightsubnet=192.168.0.0/24
	rightcert=Server@somewhere
	auto=start
----------------------------------------------------------
------------------left-side-----------------------------
# basic configuration
config setup
	# THIS SETTING MUST BE CORRECT or almost nothing will work;
	# %defaultroute is okay for most simple cases.
	interfaces=%defaultroute
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=none
	plutodebug=none
	# Use auto= parameters in conn descriptions to control startup actions.
	plutoload=%search
	plutostart=%search
	# Close down old connection when new one using same ID shows up.
	uniqueids=yes
conn %default
	leftrsasigkey=%cert
	rightrsasigkey=%cert
        keyingtries=5
        authby=rsasig
conn VPN-Test
        left=x.x.x.x
	leftnexthop=x.x.x.y
	leftsubnet=192.168.89.0/24
        leftcert=Server1@somewhere_else
	leftupdown=/usr/lib/ipsec/_updown.x509
        right=%any
	rightnexthop=x.x.x.y
        rightsubnet=192.168.0.0/24
	rightupdown=/usr/lib/ipsec/_updown.x509
        auto=add
------------------------------------------------------
Thanks a lot!!!


-- 
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23  - mobil: +49 170 302 709 2 
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here