On Monday 30 September 2002 09:49, Vic Berdin wrote: > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window > irtt Iface > 192.168.5.0 192.168.2.200 255.255.255.0 UG 0 0 > 0 ipsec0 > 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth1 > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth0 > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 > 0 ipsec0 > 0.0.0.0 192.168.2.200 0.0.0.0 UG 0 0 > 0 eth0
> Kernel IP routing table > Destination Gateway Genmask Flags MSS Window > irtt Iface > 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth1 > 192.168.4.0 192.168.3.200 255.255.255.0 UG 0 0 > 0 ipsec0 > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth0 > 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 > 0 ipsec0 > 0.0.0.0 192.168.3.200 0.0.0.0 UG 0 0 > 0 eth0 You have shown that eth0 is your internal address and eth1 is your external.... apparently you haven't fixed everything attempting to run this way since your routing tables on both boxes clearly show that the machine(s) still think eth0 is the default route. In other words, your routing is attempting to run backwards. > conn VPN1-VPN2 > auto=start > type=tunnel > left=192.168.2.1 > leftsubnet=192.168.4.0/24 > leftnexthop=192.168.2.200 > right=192.168.3.1 > authby=rsasig > #authby=secret > leftid=192.168.2.1 > rightid=192.168.3.1 > rightsubnet=192.168.5.0/24 > rightnexthop=192.168.3.200 > leftrsasigkey=[sums to 364c...] > rightrsasigkey=[sums to 1636...] > keyexchange=ike > keylife=8h > keyingtries=0 > pfs=yes > rekeymargin=9m > rekeyfuzz=25% > conn VPN1-VPN2 > auto=start > type=tunnel > left=192.168.2.1 > leftsubnet=192.168.4.0/24 > leftnexthop=192.168.2.200 > right=192.168.3.1 > authby=rsasig > #authby=secret > leftid=192.168.2.1 > rightid=192.168.3.1 > rightsubnet=192.168.5.0/24 > rightnexthop=192.168.3.200 > leftrsasigkey=[sums to 364c...] > rightrsasigkey=[sums to 1636...] > keyexchange=ike > keylife=8h > keyingtries=0 > pfs=yes > rekeymargin=9m > rekeyfuzz=25% Both sides are intending to "start" the connection.... only one can "start" the connection, the other side(s) must "add". And as Charles noted, nothing will ever be accepted if the checksums of the RSA keys do not match. I would suggest using a secret key first, then going to keys (then certs if desired). Start simple, then make the system more complicated. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
