Hello Charles, Lynn, everyone! And well enough!! A tunnel is UP! Both clients from end-to-end can ping each other. Thanks for all your help! I fixed a bit of chaining rules and followed the 2048 sigkey regeneration recommended by Charles. I did almost nothing on the ipsec confs, but replace the new keys and the secrets files. After a restart! I went: "WOW! SO THIS IS WHAT A TUNNEL LOOKS LIKE" I'm just so happy :o)))). My next venture is a LEAF/DS --- WIN2K VPN *sigh* ... I get this feeling you guys will hear from me soon. heheh. Thanks again! Charles/Lynn/Everyone!
------------------------- 'ipsec look' on SR3K-VPN1 Thu Oct 3 20:10:14 UTC 2002 ------------------------- SR3K-VPN1 Thu Oct 3 20:10:36 UTC 2002 192.168.4.0/24 -> 192.168.5.0/24 => [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] (18) ipsec0->eth0 mtu=16260(1427)->1500 [EMAIL PROTECTED] AH_HMAC_MD5: dir=in src=192.168.3.1 ooowin=64 alen=128 aklen=128 life(c,s,h)=add(2857,0,0) [EMAIL PROTECTED] AH_HMAC_MD5: dir=in src=192.168.3.1 ooowin=64 seq=21 bit=0x0001fffff alen=128 aklen=128 life(c,s,h)=bytes(2180,0,0)add(2850,0,0)use(2543,0,0)packets(21,0,0) idle=720 [EMAIL PROTECTED] AH_HMAC_MD5: dir=out src=192.168.2.1 ooowin=64 alen=128 aklen=128 life(c,s,h)=add(2857,0,0) [EMAIL PROTECTED] AH_HMAC_MD5: dir=out src=192.168.2.1 ooowin=64 seq=18 alen=128 aklen=128 life(c,s,h)=bytes(2344,0,0)add(2850,0,0)use(2543,0,0)packets(18,0,0) idle=1497 [EMAIL PROTECTED] ESP_3DES: dir=in src=192.168.3.1 iv_bits=64bits iv=0x6a06cbef49d98ab0 ooowin=64 eklen=192 life(c,s,h)=add(2857,0,0) [EMAIL PROTECTED] ESP_3DES: dir=in src=192.168.3.1 iv_bits=64bits iv=0x4c2c3b60a4b7f59b ooowin=64 seq=21 bit=0x0001fffff eklen=192 life(c,s,h)=bytes(1748,0,0)add(2850,0,0)use(2543,0,0)packets(21,0,0) idle=720 [EMAIL PROTECTED] ESP_3DES: dir=out src=192.168.2.1 iv_bits=64bits iv=0xf764e37594b2c2b3 ooowin=64 eklen=192 life(c,s,h)=add(2857,0,0) [EMAIL PROTECTED] ESP_3DES: dir=out src=192.168.2.1 iv_bits=64bits iv=0x6b76781bf9385d32 ooowin=64 seq=18 eklen=192 life(c,s,h)=bytes(1912,0,0)add(2850,0,0)use(2543,0,0)packets(18,0,0) idle=1497 [EMAIL PROTECTED] IPIP: dir=in src=192.168.3.1 life(c,s,h)=add(2857,0,0) [EMAIL PROTECTED] IPIP: dir=out src=192.168.2.1 life(c,s,h)=add(2857,0,0) [EMAIL PROTECTED] IPIP: dir=in src=192.168.3.1 life(c,s,h)=bytes(1748,0,0)add(2850,0,0)use(2543,0,0)packets(21,0,0) idle=720 [EMAIL PROTECTED] IPIP: dir=out src=192.168.2.1 life(c,s,h)=bytes(1548,0,0)add(2850,0,0)use(2543,0,0)packets(18,0,0) idle=1497 Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.2.200 0.0.0.0 UG 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.5.0 192.168.2.200 255.255.255.0 UG 0 0 0 ipsec0 --------------------------- 'ipsec auto --status' on SR3K-VPN1 BOX: --------------------------- 000 interface ipsec0/eth0 192.168.2.1 000 000 "VPN1-VPN2": 192.168.4.0/24===192.168.2.1---192.168.2.200... 000 "VPN1-VPN2": ...192.168.3.200---192.168.3.1===192.168.5.0/24 000 "VPN1-VPN2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "VPN1-VPN2": policy: PSK+ENCRYPT+AUTHENTICATE+TUNNEL+PFS; interface: eth0; erouted 000 "VPN1-VPN2": newest ISAKMP SA: #3; newest IPsec SA: #4; eroute owner: #4 000 000 #2: "VPN1-VPN2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25646s 000 #2: "VPN1-VPN2" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #1: "VPN1-VPN2" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 204s 000 #4: "VPN1-VPN2" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 26135s; newest IPSEC; eroute owner 000 #4: "VPN1-VPN2" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #3: "VPN1-VPN2" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 935s; newest ISAKMP ------------------------- 'ipsec look' on SR3K-VPN2 Thu Oct 3 20:10:14 UTC 2002 ------------------------- 192.168.5.0/24 -> 192.168.4.0/24 => [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] (21) ipsec0->eth0 mtu=16260(1427)->1500 [EMAIL PROTECTED] AH_HMAC_MD5: dir=out src=192.168.3.1 ooowin=64 alen=128 aklen=128 life(c,s,h)=add(2843,0,0) [EMAIL PROTECTED] AH_HMAC_MD5: dir=out src=192.168.3.1 ooowin=64 seq=21 alen=128 aklen=128 life(c,s,h)=bytes(2684,0,0)add(2836,0,0)use(2529,0,0)packets(21,0,0) idle=706 [EMAIL PROTECTED] AH_HMAC_MD5: dir=in src=192.168.2.1 ooowin=64 alen=128 aklen=128 life(c,s,h)=add(2843,0,0) [EMAIL PROTECTED] AH_HMAC_MD5: dir=in src=192.168.2.1 ooowin=64 seq=18 bit=0x00003ffff alen=128 aklen=128 life(c,s,h)=bytes(1912,0,0)add(2836,0,0)use(2529,0,0)packets(18,0,0) idle=1483 [EMAIL PROTECTED] ESP_3DES: dir=out src=192.168.3.1 iv_bits=64bits iv=0x4747733efef32654 ooowin=64 eklen=192 life(c,s,h)=add(2843,0,0) [EMAIL PROTECTED] ESP_3DES: dir=out src=192.168.3.1 iv_bits=64bits iv=0x24e934d7ce23191e ooowin=64 seq=21 eklen=192 life(c,s,h)=bytes(2180,0,0)add(2836,0,0)use(2529,0,0)packets(21,0,0) idle=706 [EMAIL PROTECTED] ESP_3DES: dir=in src=192.168.2.1 iv_bits=64bits iv=0xe57d6ac84a259fca ooowin=64 eklen=192 life(c,s,h)=add(2843,0,0) [EMAIL PROTECTED] ESP_3DES: dir=in src=192.168.2.1 iv_bits=64bits iv=0xb91b493bc2212642 ooowin=64 seq=18 bit=0x00003ffff eklen=192 life(c,s,h)=bytes(1548,0,0)add(2836,0,0)use(2529,0,0)packets(18,0,0) idle=1483 [EMAIL PROTECTED] IPIP: dir=in src=192.168.2.1 life(c,s,h)=add(2843,0,0) [EMAIL PROTECTED] IPIP: dir=out src=192.168.3.1 life(c,s,h)=add(2843,0,0) [EMAIL PROTECTED] IPIP: dir=in src=192.168.2.1 life(c,s,h)=bytes(1548,0,0)add(2836,0,0)use(2529,0,0)packets(18,0,0) idle=1483 [EMAIL PROTECTED] IPIP: dir=out src=192.168.3.1 life(c,s,h)=bytes(1748,0,0)add(2836,0,0)use(2529,0,0)packets(21,0,0) idle=706 Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.3.200 0.0.0.0 UG 0 0 0 eth0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.4.0 192.168.3.200 255.255.255.0 UG 0 0 0 ipsec0 --------------------------- 'ipsec auto --status' of SR3K-VPN2 BOX: --------------------------- 000 interface ipsec0/eth0 192.168.3.1 000 000 "VPN1-VPN2": 192.168.5.0/24===192.168.3.1---192.168.3.200... 000 "VPN1-VPN2": ...192.168.2.200---192.168.2.1===192.168.4.0/24 000 "VPN1-VPN2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "VPN1-VPN2": policy: PSK+ENCRYPT+AUTHENTICATE+TUNNEL+PFS; interface: eth0; erouted 000 "VPN1-VPN2": newest ISAKMP SA: #1; newest IPsec SA: #4; eroute owner: #4 000 000 #3: "VPN1-VPN2" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 26061s 000 #3: "VPN1-VPN2" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #2: "VPN1-VPN2" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 860s 000 #4: "VPN1-VPN2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25586s; newest IPSEC; eroute owner 000 #4: "VPN1-VPN2" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 000 #1: "VPN1-VPN2" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 145s; newest ISAKMP ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
