Michael D. Schleif wrote:
It would be nice to see the complete firewall rule dump from both machines, although in your test network you could simply flush all firewall rules on bluetrout (the Cisco "emulator"), if it's not hooked to the internet. Regardless, the firewall rules on pinktrout are a "Must see", especially given the log errors.For futher information, please, let me know and I will be as verbose as necessary on a separate webpage. Let's hope that I remember to publish the final solution exhaustively to the list ;>
The complete output of "ip addr" and "ip route" from *BOTH* systems would also be very helpful.
[1] Indeed, that pesky martian problem appears to be directly related to the values of:/proc/sys/net/ipv4/conf/ipsec0/rp_filter /proc/sys/net/ipv4/conf/wan1/rp_filter Changing them from `1` to `0' resolves that issue. [2] The current setup is to mimic the intended vpn between DCD at pinktrout and that pesky dicom cisco vpn, for which we are substituting another of our DCD's: bluetrout. [3] Now, with that 1 -> 0 conversion and following ipsec configuration, SA is established on both sides.
Good news...at least it sounds like you're making progress!
Hmm...probably due to the dropped protocol 50 packets on pinktrout (item [7], below).[4] Neither side can ping anything on the other side.
[5] routes: root@bluetrout:/root # ip route 64.4.222.158 dev wan1 proto kernel scope link src 64.4.222.157 64.4.222.158 dev ipsec0 proto kernel scope link src 64.4.222.157 144.228.51.210 via 64.4.222.158 dev ipsec0 src 192.168.1.254 64.4.197.64/26 dev eth1 scope link 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254 default via 64.4.222.158 dev wan1 root@pinktrout:/root # ip route 144.228.51.209 dev wan1 proto kernel scope link src 144.228.51.210 144.228.51.209 dev ipsec0 proto kernel scope link src 144.228.51.210 192.168.1.0/24 via 144.228.51.209 dev ipsec0 src 192.168.11.254 192.168.14.0/24 dev eth1 proto kernel scope link src 192.168.14.254 192.168.13.0/24 dev eth0 scope link 192.168.12.0/24 dev eth0 scope link 192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.254 192.168.10.0/24 dev eth0 scope link default via 144.228.51.209 dev wan1
Looks OK...
[6] udp port 500 & protocols 50 & 51: root@bluetrout:/root # ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)' 1 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 2 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 3 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 4 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 5 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 6 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 7 0 0 ACCEPT 51 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 8 0 0 ACCEPT 50 ------ 0xFF 0x00 * 144.228.51.210 64.4.222.157 n/a 53 62 9756 ACCEPT udp ------ 0xFF 0x00 wan1 0.0.0.0/0 64.4.222.157 * -> 500 root@pinktrout:/root # ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)' 50 26 6156 ACCEPT udp ------ 0xFF 0x00 wan1 0.0.0.0/0 144.228.51.210 * -> 500
I think you need a log accepting protocol 50 traffic on pinktrout...
[7] kern.log: root@pinktrout:/root # tail -f /var/log/kern.log Nov 12 20:41:18 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62911 F=0x0000 T=54 (#56) Nov 12 20:41:19 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62913 F=0x0000 T=54 (#56) Nov 12 20:41:20 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62915 F=0x0000 T=54 (#56)
This is Very Bad...
<snip>[8] ipsec.conf
Conf files look OK. I thought you were going to be using PSK to talk to the Cisco (you have RSA sig-keys in the conf file), but as long as the tunnel comes up, you should be OK for testing...
The main problem I see is the denied IPSec traffic on pinktrout. You don't mention which machines you tried to ping from/to...remember, you'll only be able to ping from pinktrout to machines on the 192.168.1.0/24 net other than bluetrout.
Once you get pinktrout talking to the remote network, you can start adding masq rules to try and get the networks behind pinktrout talking to the far end. With any luck, that should just work with the appropriate masq rule added to the forward rule chain.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about your web server security? Click here for a FREE Thawte Apache SSL Guide and answer your Apache SSL security needs: http://www.gothawte.com/rd523.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html