Right, I've upgraded to freeswan 2.01 from backports.org. This was
because the 1.96 that I was using from Woody didn't recognise the
leftprotoport and rightprotoport commands. I apt-got the source,
grepped, and sure enough they weren't there. This leads me to believe
that the
But now I have a different problem. Upon reboot (recompiled the kernel with the 2.01 patch), I couldn't ssh in. Doh! I was just able to get onsite, and there was a problem with the routing table.
Kernel IP routing table Destination Gateway Genmask Metric Ref Use Iface localnet * 255.255.255.240 0 0 0 eth1 localnet * 255.255.255.240 0 0 0 ipsec0 10.0.0.0 * 255.0.0.0 0 0 0 eth0 default 195.54.235.73 128.0.0.0 0 0 0 ipsec0 128.0.0.0 195.54.235.73 128.0.0.0 0 0 0 ipsec0 default 195.54.235.73 0.0.0.0 0 0 0 eth1
What happens is that pings in or out cause the ipsec0 packet transmit count to increase, and that's about it. I had to /etc/init.d/stop ipsec to get connectivity back.
I've googled a bit and don't see the answer. Best I could come up with was http://lists.virus.org/freeswan-0307/msg00363.html. This states that OE can cause freeswan to take over the default route. But I don't want OE, and I can't for the life of me work out how to switch it off. I think it has something to do with the default policies that 1.96 didn't have, but I also can't work out how to switch them off.
http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/policygroups.html#disable_oe
Disabling Opportunistic Encryption
To disable OE (eg. policy groups and packetdefault), cut and paste the following lines to /etc/ipsec.conf:
conn block auto=ignore
conn private auto=ignore
conn private-or-clear auto=ignore
conn clear-or-private auto=ignore
conn clear auto=ignore
conn packetdefault auto=ignore
Regards
Andreas
======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Zürichweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]