On Friday 04 April 2003 07:08 am, Simon Chalk wrote: > Hi All, > > I now have a working solution for a LAN to LAN gateway through Bering 1.1, > ipsec and Shorewall. > > I can ping from either end, but in one direction I get something like 25% > packet loss. In the other direction there is no loss at all. Could this > problem be related to hardware, or should I start to interrogate the ipsec > logs? For my test network one Firewall is a Pentium 2 400, and the other is > a Pentium 3 500. When I ping from the LAN connected to the Pentium 3, it > works fine, which made me wonder whether the hardware was not up to the > job.
It could be hardware, but more likely a MTU problem (PPP<whatever>), latency with your ISP, or shortage of available RAM. > By the way, it may not come across in my previous emails, but I think the > combination of Bering and Shorewall is brilliant, its just taking a while > to get into the config and documentation. Yes, there are probably ~1000 archives in leaf-user for people misconfiguring Ipsec. You will not figure out Ipsec in a day and I don't believe you'll ever find any doc's that will indicate you will. When your dealing with alternative protocols w/flexible configuration, you really need to understand what is going on and familiarity with TCP/IP is almost mandatory. Likely, you'll have memorized documentation before the light-bulb comes on and things work. You're far from the first to have this experience, but I believe you likely know the difference between 'reading' documentation and 'understanding' what you have read. I hope your not disappointed with the help you received here, but understand that stating that you have followed the documentation and that things just "don't work" gives us literally no information to troubleshoot from. We don't have any idea what configuration you have (or have not) done, whether your ISP blocks any of this, or whether your even running LEAF w/o necessary details of your configuration linked at the bottom of every leaf mailing-list post (SR-FAQ). The degree of help you receive is directly proportional to the pertainant details you provide, which in this case was virtually nothing. If you really want to figure out why pings are failing, post not only what CPU you are using, but also the amount of RAM on each machine, how much memory is actually free on the running system while IPSec is running a tunnel, the diagnostics from Ipsec (ipsec barf), the type of connection you have on each box (cable/dhcp, dsl/pppoe, ppp/dial-up), what NIC's you are using, what machines you are pinging inbetween, and the 'exact' error message received on ping failure. This information will give us an excellent base to guess at the actual problem from. Our guess accuracy proportionally lowers for each missing piece of the puzzle. I hope this helps, -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html