Charles Steinkuehler wrote:
>
> Michael D. Schleif wrote:
> > Charles Steinkuehler wrote:
> >> You don't give enough information to correctly diagnose martian errors,
> >> which are based pretty much entirely on the status of the route tables.
> >> Also, while I have not done a lot of host-host or host-subnet VPNs
> >> (you also don't include your IPSec configuration), you will run into
> >> problems with these VPN flavors if you don't have rpfiltering turned off
> >> (you'll get a warning when starting IPSec about this if it's enabled).
For futher information, please, let me know and I will be as verbose as
necessary on a separate webpage. Let's hope that I remember to publish
the final solution exhaustively to the list ;>
[1] Indeed, that pesky martian problem appears to be directly related
to the values of:
/proc/sys/net/ipv4/conf/ipsec0/rp_filter
/proc/sys/net/ipv4/conf/wan1/rp_filter
Changing them from `1` to `0' resolves that issue.
[2] The current setup is to mimic the intended vpn between DCD at
pinktrout and that pesky dicom cisco vpn, for which we are
substituting another of our DCD's: bluetrout.
[3] Now, with that 1 -> 0 conversion and following ipsec configuration,
SA is established on both sides.
[4] Neither side can ping anything on the other side.
[5] routes:
root@bluetrout:/root
# ip route
64.4.222.158 dev wan1 proto kernel scope link src 64.4.222.157
64.4.222.158 dev ipsec0 proto kernel scope link src 64.4.222.157
144.228.51.210 via 64.4.222.158 dev ipsec0 src 192.168.1.254
64.4.197.64/26 dev eth1 scope link
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254
default via 64.4.222.158 dev wan1
root@pinktrout:/root
# ip route
144.228.51.209 dev wan1 proto kernel scope link src 144.228.51.210
144.228.51.209 dev ipsec0 proto kernel scope link src 144.228.51.210
192.168.1.0/24 via 144.228.51.209 dev ipsec0 src 192.168.11.254
192.168.14.0/24 dev eth1 proto kernel scope link src 192.168.14.254
192.168.13.0/24 dev eth0 scope link
192.168.12.0/24 dev eth0 scope link
192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.254
192.168.10.0/24 dev eth0 scope link
default via 144.228.51.209 dev wan1
[6] udp port 500 & protocols 50 & 51:
root@bluetrout:/root
# ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)'
1 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a
2 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a
3 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a
4 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a
5 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a
6 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a
7 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a
8 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a
53 62 9756 ACCEPT udp ------ 0xFF 0x00 wan1 0.0.0.0/0 64.4.222.157 * ->
500
root@pinktrout:/root
# ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)'
50 26 6156 ACCEPT udp ------ 0xFF 0x00 wan1 0.0.0.0/0 144.228.51.210 * ->
500
[7] kern.log:
root@pinktrout:/root
# tail -f /var/log/kern.log
Nov 12 20:41:18 pinktrout kernel: Packet log: input DENY wan1 PROTO=50
64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62911 F=0x0000 T=54 (#56)
Nov 12 20:41:19 pinktrout kernel: Packet log: input DENY wan1 PROTO=50
64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62913 F=0x0000 T=54 (#56)
Nov 12 20:41:20 pinktrout kernel: Packet log: input DENY wan1 PROTO=50
64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62915 F=0x0000 T=54 (#56)
[8] ipsec.conf
bluetrout
=========
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
authby=rsasig
auto=start
keyingtries=0
left=%defaultroute
leftfirewall=yes
[EMAIL PROTECTED]
leftrsasigkey=_super_dooper_secret_L_
leftsubnet=192.168.1.0/24
include ipsec/pinktrout.conf
ipsec/pinktrout.conf
====================
conn pinktrout
right=144.228.51.210
[EMAIL PROTECTED]
rightrsasigkey=_super_dooper_secret_R_
pinktrout
=========
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
authby=rsasig
auto=start
keyingtries=0
left=%defaultroute
leftfirewall=yes
[EMAIL PROTECTED]
leftrsasigkey=_super_dooper_secret_L_
include ipsec/bluetrout.conf
ipsec/bluetrout.conf
====================
conn bluetrout
right=64.4.222.157
[EMAIL PROTECTED]
rightrsasigkey=_super_dooper_secret_R_
rightsubnet=192.168.1.0/24
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we think we know.
The more I know, the more I know I don't know . . .
-------------------------------------------------------
This sf.net email is sponsored by:
To learn the basics of securing your web site with SSL,
click here to get a FREE TRIAL of a Thawte Server Certificate:
http://www.gothawte.com/rd522.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
