> I set up D-CD rc3 this: > > 192.168.1.0/24 <------> 192.168.1.254 - 24.x.x.x/32 <------> 213.x.x.x/32 > w2k network 10BaseT D-CD BOX ------ internet W2K box > > Took FOREVER to figure out how to get IPSec to work on the LRP box so that > it allows my W2K box can access my W2K network but I did get it!!! > > Not complete, however. The biggest problem I have is the firewall rules on > D-CD. If I set it to be a router, all works. When I set it to be a > firewall, I can ping 192.168.1.254 from W2K box, but can't ping the rest of > 192.168.1.0/24. I'm certain that the reason is that forwarding is deny'd.
Hmm...not enough information to fully diagnose your problem, but you probably are not manually creating the forwarding rules for the IPSec link, or you haven't set [left|right]firewall=yes in ipsec.conf, which will do this automatically. Another potential source of trouble is the various versions of Win2K, some of which support making connections to entire subnets, while others (specifically Win2K-pro) will only make host-host connections...no 'gateway' connections to an entire network unless you've got 2K server :( > 1)What is the best way to change the f/w rules to allow ANY traffic from the > W2K box to the W2K network without compromising security? Your forwarding rules can safely allow all traffic to/from your private IP 192.168.1.0/24 network. If you IPSec tunnel is down, these packets will be blocked by the outbound garbage filters and won't make it to the internet. If your IPSec link is up, the packets will go to ipsec0, where they will be encrypted before being sent to eth0, where they will have an outbound source IP of the firewall's public IP, and will make it past the outbound garbage protection. > 2)I'm getting martians from my w2k network (cause I know the mac address). > How do I track down what application is sending them? What exactly are > martians? Martian messages are generated when a packet comes in an interface with a return IP the kernel is not expecting. This is all based on routing tables. For example, if you recieve a packet with an IP address of your local net on the internet interface, this would be unexpected, and create a 'martian' error. These errors almost always indicate a mis-configuration of network settings on either the firewall, or one of the machines attached to it. You can also get martian errors if someone's sending spoofed packets your way...this happens a lot on 'shared bandwidth' systems, like cable-modems, where your neighbors either don't configure their network settings properly, or use systems like windows, which is known for spewing broadcast packets with the internal network IP out to the internet. > 3)backup prompts for "press any key" but it never used to (boot from floppy) This is an oversight on my part. I've since fixed it, but discovered a few other bugs that require fixing before I release rc4. > 4)When I boot the D-CD, I get a warning from IPSec saying that > /proc/sys/net/ipv4/conf/ipsec0/rp_filter contains a 1 and should contain 0. > What gives? See the FreeS/WAN docs and/or list archives. The short answer is having rp_filter on will break some flavors of IPSec links, while others will work OK. You may need to clear the rp_filter settings to get your IPSec tunnels to work...or you may not. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
