Hello Lynn Avants, Thanks for your reply. I already tookout the 'ip_masq_ipseq' from loading, but still, the exact problem remains. BTW, the eth1 interface from VPN1 BOX actually goes to the VPN1 BOX client. Hence, it's actually an internal device. My diagram is indeed a bit confusing. I do have some more queries regarding keys and my pluto authlog though. Having the authlog below, from my new 'ipsec barf' result, notice that there are errors generated by Pluto. I've already gotten openssl.lrp from JNilo's site in order to resolv this. I'm thinking that Pluto's failure to read the needed certificates brings about problems in my keying/ipsec.secrets resolution. Anyways, if I'm not on the right track please let me know.
TIA - Vic ========== + egrep -n Starting Pluto /var/log/auth.log + cat + sed -n $s/:.*//p + sed -n 1,$p /var/log/auth.log Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: Starting Pluto (FreeS/WAN Version 1.91) Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: including X.509 patch (Version 0.9.3) Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: Could not change to directory '/etc/ipsec.d/cacerts' Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: Could not change to directory '/etc/ipsec.d/crls' Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: could not open my X.509 cert file '/etc/x509cert.der' Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: OpenPGP certificate file '/etc/pgpcert.pgp' not found Jul 30 06:42:10 SR3K-VPN1 Pluto[1737]: added connection description "VPN1-VPN2" Jul 30 06:42:10 SR3K-VPN1 Pluto[1737]: listening for IKE messages Jul 30 06:42:10 SR3K-VPN1 Pluto[1737]: adding interface ipsec0/eth0 192.168.2.1 Jul 30 06:42:10 SR3K-VPN1 Pluto[1737]: loading secrets from "/etc/ipsec.secrets" Jul 30 06:42:11 SR3K-VPN1 Pluto[1737]: "VPN1-VPN2" #1: initiating Main Mode Jul 30 06:42:21 SR3K-VPN1 Pluto[1737]: some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details) Jul 30 06:42:22 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 06:44:53 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 06:45:33 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 06:46:12 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized + _________________________ + + date Tue Jul 30 06:46:40 UTC 2002 ----- Original Message ----- From: "guitarlynn" <[EMAIL PROTECTED]> To: "Vic Berdin" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, September 30, 2002 11:57 AM Subject: Re: [leaf-user] subnet-to-subnet simulation problem > On Sunday 29 September 2002 05:08, Vic Berdin wrote: > > > VPN1-CLI > > > > |eth0: 192.168.4.1 > > |gw: 192.168.4.200 > > | > > | > > |eth1: 192.168.4.200 > > |gw: 192.168.2.1 > > > > VPN1 BOX > > >From the look of things, your using Dachstein, so I will assume this. > Looks pretty unusual to use eth1 as an external interface, this can > bork the networking pretty good with Dachstein in the default setup. > > > ip_masq_ipsec 7328 0 (unused) > > DO NOT USE the ipsec module with Dachstein it will bork everything > up with the ipsec-kernel. The module is only used for pass-through > with Dachstein. > > > > Jul 30 03:42:30 SR3K-VPN1 Pluto[1574]: packet from > > 192.168.2.200:61070: initial Main Mode message received on > > 192.168.2.1:500 but no connection has been authorized > > Looks like your keys/naming isn't right in ipsecrets and the point > of failure unless having the ipsec module loaded is messing the > connection up here (good possibility). > > -- > > ~Lynn Avants > aka Guitarlynn > > guitarlynn at users.sourceforge.net > http://leaf.sourceforge.net > > If linux isn't the answer, you've probably got the wrong question! ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
