> Anyway, as an update to my VPN woes, I'm already able to rid off > of the md5sum descrepancies pointed out by Charles (the md5sum > bin I got is broken). Yet, the same 'trapped' status remains.
Hmm...I *KNOW* the ipsec stuff on Dachstein-CD works...I use it in production daily. I agree your routing setup looks OK, and IIRC, your IPChains rules looked acceptable as well. To get past the "trapped" stage and acutally build an SA, all you really need is UDP port-500 traffic between the two machines. Once the SA is in place, any actual traffic will be transmitted using protocol 50 (ESP) or 51 (AH), depending on your config setup. I still think you've got a problem in one (or more) of the four configuation files (2x ipsec.conf & 2x ipsec.secrets). I haven't seen the unabridged contents of these, so I can't say for sure if there is or isn't a problem. I would recommend the following plan of action: 1) Visually compare the contents of your ipsec.conf files with the ipsec.secrets files on both ends to make *SURE* everything matches exactly. If you want, you can send the files to me (or the list) and I'll take a look at them. You will need to regenerate them anyway, as 1024 bit public key encryption is now fairly easy to break using brute-force techniques and a fairly small distributed cluster (ie zombied machines gatherd by script-kiddie hackers, or a system easily put together by a governemnt or mid-sized business)...you should use 2048 bits minimum on any production networks (note this applies to ssh keys, x.509 certificates, and anything else using public key cryptography). 2) If you're still stuck, try re-building both ends from "scratch", starting with a clean version of Dachstein, or at the very least a new ipsec.lrp. Re-create your RSA keys, and re-build your ipsec.conf and ipsec.secrets files. 3) If that doesn't work, it's time to start tracking packets through the network if you haven't done so already. Track the UDP port-500 traffic through your network with ipchains logging rules, a traffic sniffer, or whatever is handy. Verify nothing is happening to the packets (like masquerading) on their trip between the two hosts. 4) If you're *STILL* not going, you'll probably have to enable debugging, and plead to the FreeS/WAN list gurus for help interperting the results :-( Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
