Hello everyone, I've upgraded my DS 2.2.19 to 2.2.20 and built the current FSwan1.99 with x509 to my kernel. Everything works fine if I were to use FSwan to FSwan Sub2Sub VPN (either by PSK or RSA/Certs).
My problem is that, when I InterOp my LRP machine to a WIN2K, a tunnel gets formed, but it seems that it dies down (the active tunnel / association in ipsecmon disappears) after a few minutes. And to top it all, I can't "ping" from either subnet. It's not really a LEAF problem as everything works perfectly using a FSwan to FSwan setup. I believe the problem lies on my WIN2K side. I'm just hoping someone here will be kind enough to shed any hints concerning M$ WIN2K. Anyways, here's what I have on my WIN2K: Security Method: Negotiate Security Session Key PFS Custom MD5 3DES IP Filters: W2K-net to LRP-net end point: 192.168.3.1 source 192.168.0.0/255.255.255.0 destination: 192.168.246.0/255.255.255.0 LRP-net to W2K-net end point: 192.168.2.1 source 192.168.246.0/255.255.255.0 destination: 192.168.0.0/255.255.255.0 W2K to LRP-net end point: 192.168.3.1 source 192.168.2.1/255.255.255.255 destination: 192.168.246.0/255.255.255.0 LRP to W2K-net end point: 192.168.2.1 source 192.168.3.1/255.255.255.255 destination: 192.168.0.0/255.255.255.0 I also tried making my end points specific to the IPs of my end-to-end clients. But having done such, the tunnel won't even form. And here's my ipsec.conf: config setup interfaces=%defaultroute plutodebug=none klipsdebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 pfs=yes conn SR3K-NET authby=secret left=192.168.3.1 leftsubnet=192.168.246.0/24 leftnexthop=192.168.3.200 right=192.168.2.1 rightsubnet=192.168.0.0/24 rightnexthop=192.168.2.200 auto=start The output of my ipsec look: SR3K Wed Feb 12 20:11:41 UTC 2003 192.168.246.0/24 -> 192.168.0.0/24 => [EMAIL PROTECTED] [EMAIL PROTECTED] (0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=192.168.3.1 iv_bits=64bits iv=0x0e86cc9dda1e8d8a ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(12,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=192.168.2.1 iv_bits=64bits iv=0x5488aa183793c623 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(12,0,0) [EMAIL PROTECTED] IPIP: dir=in src=192.168.2.1 life(c,s,h)=addtime(12,0,0) [EMAIL PROTECTED] IPIP: dir=out src=192.168.3.1 life(c,s,h)=addtime(12,0,0) Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.3.200 0.0.0.0 UG 0 0 0 eth0 192.168.0.0 192.168.3.200 255.255.255.0 UG 0 0 0 ipsec0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 Also: - My WIN2K eth0 is sharing it's internet resource with eth1. Thus, eth1 automatically inheriting the 192.168.0.0/24 network - pinging from WIN2K N-times, simply displays the "Negotiating IP Security" message. pinging from its client to the client on the other end is negative. - I'll be glad to send more command results if needed. TIA - Vic ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html