Jo�o Miguel Neves wrote:
I'm using Lynn Avants' Dachstein v1.0.2 with IPSEC fromMust be the day for ipsec questions. :)
http://lrp.steinkuehler.net/contrib_disk_images.htm.
I want to configure a subnet-to-subnet ipsec tunnel where both subnets
are linked through a wireless bridge. The diagram below shows what I'm
trying to accomplish:
+-------+ +--------+ +--------+ +-------+
| Net 0 |<-->| LEAF 0 |<-(*)->| LEAF 1 |<-->| Net 1 |
+-------+ +--------+ +--------+ +-------+
(*) Wireless bridge - it's transparent. Both wireless bridges have IPs
that I use for testing the connection (192.168.250.254 and
192.168.250.127).
Net 0 - 192.168.2.0/24
LEAF 0 - 192.168.2.250(internal) 192.168.250.1(external)
LEAF 1 - 192.168.250.128(external) 192.168.23.254(Internal)
Net 1 - 192.168.23.0/24
The problems I'm seeing:
1) the routing tables in both LEAF routers have 2 entries for
192.168.250.0/24, one through eth0 (the ethernet card) and one through
the tunnel (ipsec0). According to my experience I only want an entry
through eth0, correct ?
2) I get Pluto messages like:
ERROR: "leaf-ipsec" #1: sendto() on eth0 to 192.168.250.128:500 failed
in EVENT_RETRANSMIT. Errno 1: Operation not permitted.
From other messages I gather this is an ipchains issue. I can get both
hosts to "ping" by flushing all chains and changing the default policies
to ACCEPT, but I wanted to know how to correct this.
3) I'm a complete newbie at IPSEC. Anyone knows how I can check if a
tunnel is "up" ?
Any help will be appreciated,
Problem 1 is not a problem. It is an artifact of how IPSec gets setup.
Problem 2 is caused by the firewall rules. If you have an unmodified Dachstein firewall, it is not expecting private IP's to exist on the "external" interface, and drops this traffic by default. You can fix this by editing /etc/ipfilter.conf. Locate the stopMartians () procedure, and comment out the appropriate RFC 1918/1627/1597 blocks...in your case:
#$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
3) Try: "ipsec look" and "ipsec auto --status". See the ipsec man pages for more usage info.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
