> Loading the ip_masq_ipsec module was something I did last becuase I felt that I had tried almost everything. Even if I don't load ip_masq_ipsec I still can't ping from subnet to subnet with this setup. Is there some other things I can try to get this working? > > This is what I have done: > > 1) Innstalled Dachsten CD 1.02 on two machines and use them as firewalls with great success > 2) I am loading ipsec.lrp (and mawk and ifconfig) > 3) I have opened up both firewalls with EXTERN_UDP_PORTS="0/0_500" and EXTERN_PROTO0="50 0/0" > 4) Configured ipsec.secrets and ipsec.conf on both machines > 5) Restarted ipsec and then got a message about "rp_filter set to 1 should be 0". I set rp_filter manually (echo "0" > /some path to /rp_filter) and then restarted and got no errors > 6) The tunnel is established with 'ipsec auto --up my_name' and 'ipsec look' looks OK on both machines
It looks like you've generally got things setup properly. First, remember you will not be able to ping (or otherwise communicate) from firewall-firewall across the VPN link with your subnet-subnet connection, so make sure you're trying to ping from/to boxes other than the LEAF systems. Second, when I've seen or heard of these sorts of problems before (ie the VPN tunnel is up, but no traffic goes through), it almost always means a problem with either the tunnel configuration (ie you didn't build the tunnel you acutally need), or with the IPSec packets getting dropped. If you're running AH instead of ESP, your packets are probably stopping at the firewall (AH is protocol 51, ESP is protocol 50). Regardless, you should look at your firewall rules on both sides of the link (net ipfilter list), looking for suspect packet/byte counts for any deny or reject rules. Finally, since this is one of those "it looks like everything should work" problems, if you want real help, you're probably going to have to provide a lot of raw data for us to sift through. At least the contents of ipsec.conf & network.conf, and the output of "net ipfilter list", "ip addr list", "ip route list", and "ipsec look". Or to make it easy, just do an "ipsec barf"...I think that works OK on LEAF. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
