----- Original Message -----
From: "Charles Steinkuehler" <[EMAIL PROTECTED]>
To: "guitarlynn" <[EMAIL PROTECTED]>; "Vic Berdin" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, October 02, 2002 12:07 AM
Subject: Re: [leaf-user] subnet-to-subnet simulation problem
> > Both sides are intending to "start" the connection.... only one can
> > "start" the connection, the other side(s) must "add".
>
> Actually, this is quite legal, and how I have most of my VPN's setup
> (the exceptions are the connections where one end has a dynamic
IP...you
> can't start these from the end that doesn't know both IPs!).
>
> Typically, I'll set keying retries to a small number on the "more
> stable" box (ie the Office VPN gateway) so if for any reason it
reboots
> it will restore the connections, but won't keep trying forever (in
case
> one of the home firewalls is off-line), while I set the home-based
> systems retries to "0", so they'll keep trying to establish a
connection
> as long as they're on-line.
Yes, and I've looked closely into what Lynn Avant is pointing out
about my routes. Well, I don't see anything wrong with it. I repeat
that VPN1-CLI can 'ping' VPN2 BOX's 192.168.3.1 external IP.
And likewise VPN2-CLI can 'ping' VPN1-BOX 192.168.2.1
external IP. I also allow the two client machines to access our office
network and the net via ROUTER's 192.168.1.200 external
interface. FWIW, I pasted my routes and traceroute results.
Anyway, as an update to my VPN woes, I'm already able to rid off
of the md5sum descrepancies pointed out by Charles (the md5sum
bin I got is broken). Yet, the same 'trapped' status remains.
I also tried using the very latest ipsec kernel patch which is 1.98b
againts JNilo's ipsec.lrp v1.97 (not sure if this is OK though, but
I'll also rolling one using the latest builds). And still, this
'trapped'
status lurks.
My desperate approach now is to try to look more closely to
my configs and secrets files and also try using an RH7.2
standard distro and learn from it once I get my first tunnel!
>From the diagram:
============
VPN1-CLI (Client)
|eth0: 192.168.4.1 gw: 192.168.4.200
|
|eth1: 192.168.4.200 gw: 192.168.2.1
VPN1 BOX
|eth0: 192.168.2.1 gw: 192.168.2.200
|
|eth1: 192.168.2.200 gw: 192.168.1.200
ROUTER---eth0: 192.168.1.200 gw: 192.168.1.3
|eth2: 192.168.3.200 gw: 192.168.1.200
|
|eth0: 192.168.3.1 gw: 192.168.3.200
VPN2 BOX
|eth1: 192.168.5.200 gw: 192.168.3.1
|
|eth0: 192.168.5.1 gw: 192.168.5.200
VPN2-CLI (Client)
Route tables:
============
VPN1 BOX Kernel IP routing table
Destination Gateway Genmask Iface
192.168.5.0 192.168.2.200 255.255.255.0 ipsec0
192.168.4.0 0.0.0.0 255.255.255.0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 ipsec0
0.0.0.0 192.168.2.200 0.0.0.0 eth0
VPN2 BOX Kernel IP routing table
Destination Gateway Genmask Iface
192.168.5.0 0.0.0.0 255.255.255.0 eth1
192.168.4.0 192.168.3.200 255.255.255.0 ipsec0
192.168.3.0 0.0.0.0 255.255.255.0 eth0
192.168.3.0 0.0.0.0 255.255.255.0 ipsec0
0.0.0.0 192.168.3.200 0.0.0.0 eth0
Traceroutes:
============
VPN1 BOX: 'traceroute www.google.com':
1 192.168.2.200 (192.168.2.200) 0.582 ms 0.559 ms 0.543 ms
2 192.168.1.3 (192.168.1.3) 0.697 ms 0.734 ms 0.679 ms
3 202.164.181.237 (202.164.181.237) 2.089 ms 1.812 ms 1.836 ms
4 203.167.82.33 (203.167.82.33) 1.946 ms 11.94 ms 1.968 ms
5 207.176.97.97 (207.176.97.97) 29.38 ms 29.115 ms 29.338 ms
6 207.176.96.65 (207.176.96.65) 32.044 ms 32.725 ms 29.991 ms
7 202.84.143.25 (202.84.143.25) 183.209 ms 187.223 ms 184.571 ms
8 eqixsj-google-gige.google.com (206.223.116.21) 183.135 ms 182.435
ms 187.193 ms
9 core2-0-2-0.pao.net.google.com (216.239.48.213) 185.187 ms 186.571
ms 187.59 ms
10 216.239.48.53 (216.239.48.53) 190.836 ms 189.131 ms 187.449 ms
11 br1-1-3-0.ex.net.google.com (216.239.48.57) 194.241 ms 195.882 ms
195.433 ms
12 exbi2-1-1.net.google.com (216.239.47.6) 202.401 ms 203.635 ms
197.497 ms
13 * * *
14 * * *
15 * * *
VPN2 BOX: 'traceroute www.slashdot.org':
1 192.168.3.200 (192.168.3.200) 0.755 ms 0.537 ms 0.525 ms
2 192.168.1.3 (192.168.1.3) 0.733 ms 0.716 ms 0.71 ms
3 202.164.181.237 (202.164.181.237) 1.842 ms 2.695 ms 1.825 ms
4 203.167.82.33 (203.167.82.33) 1.918 ms 1.863 ms 1.835 ms
5 208.172.151.5 (208.172.151.5) 258.009 ms 257.719 ms 258.078 ms
6 agr2-loopback.SantaClara.cw.net (208.172.146.102) 258.227 ms
259.141 ms 258.215 ms
7 dcr1-so-7-1-0.SantaClara.cw.net (208.172.156.57) 258.067 ms
258.154 ms 257.993 ms
8 agr3-so-4-0-0.SantaClara.cw.net (208.172.156.26) 260.374 ms
agr4-so-4-0-0.SantaClara.cw.net (208.172.156.30) 258.151 ms 258.936 ms
9 acr1-loopback.Boston.cw.net (208.172.50.61) 327.809 ms 331.011 ms
327.227 ms
10 ibr02-p5-0.wlhm01.exodus.net (208.172.51.202) 327.776 ms 327.513
ms 327.702 ms
11 dcr04-g4-0.wlhm01.exodus.net (64.14.70.66) 340.823 ms 340.681 ms
340.251 ms
12 csr03-ve240.wlhm02.exodus.net (64.14.70.130) 342.399 ms 340.913 ms
579.279 ms
13 64.28.66.204 (64.28.66.204) 341.645 ms 342.502 ms 340.416 ms
14 * * *
15 * * *
16 * * *
-------------------------------------------------------
This sf.net email is sponsored by: DEDICATED SERVERS only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your own server
today at http://www.ServePath.com/indexfm.htm
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
