Re: [leaf-user] Difficulty with Bering 1.2 IPSEC road-warrior

[Charles Steinkuehler]

Tibbs, Richard wrote:
Hello list..
Trying to implement IPSEC tunnels on my Bering 1.2 fw.
A few inauspicious lines from the debug log:
Jul 13 11:35:37 firewall pluto[29061]: | from whack: got --esp=3des
Jul 13 11:35:37 firewall pluto[29061]: | from whack: got --ike=3des
Jul 13 11:35:37 firewall pluto[29061]: | from whack: got --esp=3des
Jul 13 11:35:37 firewall pluto[29061]: | from whack: got --ike=3des
What could be wrong here?
That part looks OK...what you need to worry about is the following:
Jul 13 11:58:08 firewall pluto[29061]: "road-warrior"[1] 137.45.192.86
#1: cannot respond to IPsec SA request because no connection is known for
0.0.0.0/0===137.45.192.69...137.45.192.86
While in general your configuration looks OK, I suspect the problem is 
you're testing your road-warrior link too close to the firewall.

You've told IPSec to use %default-route, which sets the next-hop value 
(ipsec has to do it's own low-level routing, and %default-route tells it 
to grab what it needs from the kernel routing tables).  This means the 
firewall is sending it's response packets to whatever IP is your default 
gateway, while it looks like you've attached the road-warrior system on 
the same network as the upstream interface of the router (meaning the 
ipsec next-hop setting should be the IP of the road-warrior, not the IP 
of your default gateway).

Try moving the test road-warrior system beyond the router hooked to your 
firewall, and see if that helps...

One other thing to verify with a windows client is to make sure you've 
actually got the high-security patch installed.  The GUI is dumb enough 
to allow you to select 3DES but it's not actually enabled unless you 
install the appropriate patch from Microsoft.  I don't think you have 
this problem (it usually shows up as a different error in the ipsec 
logs), but I don't work with MS clients enough to rule it out.

--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html