Charles Steinkuehler wrote: > > Michael D. Schleif wrote: > > Charles Steinkuehler wrote: > >> You don't give enough information to correctly diagnose martian errors, > >> which are based pretty much entirely on the status of the route tables. > >> Also, while I have not done a lot of host-host or host-subnet VPNs > >> (you also don't include your IPSec configuration), you will run into > >> problems with these VPN flavors if you don't have rpfiltering turned off > >> (you'll get a warning when starting IPSec about this if it's enabled).
For futher information, please, let me know and I will be as verbose as necessary on a separate webpage. Let's hope that I remember to publish the final solution exhaustively to the list ;> [1] Indeed, that pesky martian problem appears to be directly related to the values of: /proc/sys/net/ipv4/conf/ipsec0/rp_filter /proc/sys/net/ipv4/conf/wan1/rp_filter Changing them from `1` to `0' resolves that issue. [2] The current setup is to mimic the intended vpn between DCD at pinktrout and that pesky dicom cisco vpn, for which we are substituting another of our DCD's: bluetrout. [3] Now, with that 1 -> 0 conversion and following ipsec configuration, SA is established on both sides. [4] Neither side can ping anything on the other side. [5] routes: root@bluetrout:/root # ip route 64.4.222.158 dev wan1 proto kernel scope link src 64.4.222.157 64.4.222.158 dev ipsec0 proto kernel scope link src 64.4.222.157 144.228.51.210 via 64.4.222.158 dev ipsec0 src 192.168.1.254 64.4.197.64/26 dev eth1 scope link 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254 default via 64.4.222.158 dev wan1 root@pinktrout:/root # ip route 144.228.51.209 dev wan1 proto kernel scope link src 144.228.51.210 144.228.51.209 dev ipsec0 proto kernel scope link src 144.228.51.210 192.168.1.0/24 via 144.228.51.209 dev ipsec0 src 192.168.11.254 192.168.14.0/24 dev eth1 proto kernel scope link src 192.168.14.254 192.168.13.0/24 dev eth0 scope link 192.168.12.0/24 dev eth0 scope link 192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.254 192.168.10.0/24 dev eth0 scope link default via 144.228.51.209 dev wan1 [6] udp port 500 & protocols 50 & 51: root@bluetrout:/root # ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)' 1 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 2 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 3 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 4 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 5 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 6 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 7 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 8 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 53 62 9756 ACCEPT udp ------ 0xFF 0x00 wan1 0.0.0.0/0 64.4.222.157 * -> 500 root@pinktrout:/root # ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)' 50 26 6156 ACCEPT udp ------ 0xFF 0x00 wan1 0.0.0.0/0 144.228.51.210 * -> 500 [7] kern.log: root@pinktrout:/root # tail -f /var/log/kern.log Nov 12 20:41:18 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62911 F=0x0000 T=54 (#56) Nov 12 20:41:19 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62913 F=0x0000 T=54 (#56) Nov 12 20:41:20 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62915 F=0x0000 T=54 (#56) [8] ipsec.conf bluetrout ========= config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default authby=rsasig auto=start keyingtries=0 left=%defaultroute leftfirewall=yes [EMAIL PROTECTED] leftrsasigkey=_super_dooper_secret_L_ leftsubnet=192.168.1.0/24 include ipsec/pinktrout.conf ipsec/pinktrout.conf ==================== conn pinktrout right=144.228.51.210 [EMAIL PROTECTED] rightrsasigkey=_super_dooper_secret_R_ pinktrout ========= config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default authby=rsasig auto=start keyingtries=0 left=%defaultroute leftfirewall=yes [EMAIL PROTECTED] leftrsasigkey=_super_dooper_secret_L_ include ipsec/bluetrout.conf ipsec/bluetrout.conf ==================== conn bluetrout right=64.4.222.157 [EMAIL PROTECTED] rightrsasigkey=_super_dooper_secret_R_ rightsubnet=192.168.1.0/24 -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd522.html ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html