Hello!
I have created a certificate-based tunnel between a Leaf firewall and a Windows client using either the Windows 2000 VPN tool (http://vpn.ebootis.de/) or SSH Sentinel. In both cases, the client software establishes the connection, and according to Leaf's auth.log, the tunnel is 100% established.
However, no traffic seems to come from the Leaf firewall to the Windows client. There are no entries in shorewall.log, or any other log entry.
From the Windows computer, when I ping or browse a computer behind theLeaf side of the VPN, it times out. The external interface of the Leaf box blinks, but the internal one does not. If I ping from a (Windows) client on the Leaf side to the Windows client, I get a response: Response from 10.154.19.254: Port not available (or something like that: I'll try to get it back again). The external interface does not blink.
It seems that the tunnel is up, but something is not routing properly. Where can I look? There's *nothing* in any entry in any log in /var/log at all, especially shorewall.log: it's 0 bytes.
A little more info about the setup: I have a Windows notebook (the IPsec client) with a crossover cable into the external interface of the Leaf firewall. The notebook's IP is 68.208.33.29(/29). Leaf's external IP is 68.208.33.25. Leaf's Internal IP is 10.154.19.254(/22). The internal interface is connected by crossover cable to a test Windows client running a web server. It's IP is 10.154.16.1.
To sum up: the logs on both the client and the server say that the tunnel is 100% up. I can make changes to the tunnel (SHA1 instead of MD5, for example) and they show up in the logs, so it certainly seems to be interoperating properly. However, no traffic actually seems to cross the tunnel. While using SSH Sentinel, the Statistics page says that it is indeed sending packets through the tunnel when I try to browse, but it gets zero in reply. When I try to browse from the client on the Leaf side, it just times out. The LED for the outer interface of the firewall does *not* blink when I do this, like I would expect it to.
Thank you very much for any suggestions you might be able to give me. I really appreciate the help you have given me so far (especially Mr. Steinkuehler!). I'm sure I'm most of the way there: the tunnel is up! I have detailed notes describing what I have done and I will be posting a summary when this is solved...
As usual, here are my config files:
Leaf:
config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes
conn %default keyingtries=3
conn OfficeToRemote authby=rsasig left=68.208.33.25 leftsubnet=10.154.16.0/22 leftnexthop=68.208.33.30 leftfirewall=yes leftrsasigkey=%cert leftcert=certs/serverCert.pem right=%any rightrsasigkey=%cert keylife=30m pfs=yes auto=add
Windows:
conn Office left=%any right=68.208.33.25 rightsubnet=10.154.16.0/255.255.252.0 rightca=<Proper cert text> network=auto rekey=1800S/30000K auto=start pfs=yes
Tim Massey
------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
